CVE-2024-39600

Under certain conditions, the memory of SAP GUI for Windows contains the password used to log on to an SAP system, which might allow an attacker to get hold of the password and impersonate the affected user. As a result, it has a high impact on the confidentiality but there is no impact on the integrity and availability.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.6 / Impact : 4.0

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3461110	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory
https://me.sap.com/notes/3461110	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:gui_for_windows:8.0:*:*:*:*:*:*:*

History

22 Jan 2025, 18:33

Type	Values Removed	Values Added
CWE		NVD-CWE-Other
CPE		cpe:2.3:a:sap:gui_for_windows:8.0:::::::*
References	~~() https://me.sap.com/notes/3461110 -~~	() https://me.sap.com/notes/3461110 - Permissions Required
References	~~() https://url.sap/sapsecuritypatchday -~~	() https://url.sap/sapsecuritypatchday - Vendor Advisory
First Time		Sap Sap gui For Windows

21 Nov 2024, 09:28

Type	Values Removed	Values Added
References	~~() https://me.sap.com/notes/3461110 -~~	() https://me.sap.com/notes/3461110 -
References	~~() https://url.sap/sapsecuritypatchday -~~	() https://url.sap/sapsecuritypatchday -

09 Jul 2024, 18:19

Type	Values Removed	Values Added
Summary		(es) Bajo ciertas condiciones, la memoria de SAP GUI para Windows contiene la contraseña utilizada para iniciar sesión en un sistema SAP, lo que podría permitir a un atacante obtener la contraseña y hacerse pasar por el usuario afectado. Como resultado, tiene un alto impacto en la confidencialidad pero no hay impacto en la integridad y disponibilidad.

09 Jul 2024, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-09 05:15

Updated : 2025-01-22 18:33

NVD link : CVE-2024-39600

Mitre link : CVE-2024-39600

CVE.ORG link : CVE-2024-39600

JSON object : View

Products Affected

sap

gui_for_windows

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-Other

{"id": "CVE-2024-39600", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 0.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.6}]}, "published": "2024-07-09T05:15:13.147", "references": [{"url": "https://me.sap.com/notes/3461110", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://url.sap/sapsecuritypatchday", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://me.sap.com/notes/3461110", "tags": ["Permissions Required"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://url.sap/sapsecuritypatchday", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Under certain conditions, the memory of SAP GUI\nfor Windows contains the password used to log on to an SAP system, which might\nallow an attacker to get hold of the password and impersonate the affected\nuser. As a result, it has a high impact on the confidentiality but there is no\nimpact on the integrity and availability."}, {"lang": "es", "value": "Bajo ciertas condiciones, la memoria de SAP GUI para Windows contiene la contrase\u00f1a utilizada para iniciar sesi\u00f3n en un sistema SAP, lo que podr\u00eda permitir a un atacante obtener la contrase\u00f1a y hacerse pasar por el usuario afectado. Como resultado, tiene un alto impacto en la confidencialidad pero no hay impacto en la integridad y disponibilidad."}], "lastModified": "2025-01-22T18:33:47.870", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:gui_for_windows:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74ED382C-6C84-4C2F-BF8E-51AC10DB3611"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}