CVE-2024-42376

SAP Shared Service Framework does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. On successful exploitation, an attacker can cause a high impact on confidentiality of the application.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://me.sap.com/notes/3474590	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_702:::::::*
	cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_731:::::::*
	cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_746:::::::*
	cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_747:::::::*
	cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_748:::::::*

History

12 Sep 2024, 13:43

Type	Values Removed	Values Added
References	~~() https://me.sap.com/notes/3474590 -~~	() https://me.sap.com/notes/3474590 - Permissions Required
References	~~() https://url.sap/sapsecuritypatchday -~~	() https://url.sap/sapsecuritypatchday - Vendor Advisory
CPE		cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_746:::::::* cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_747:::::::* cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_748:::::::* cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_702:::::::* cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_731:::::::*
First Time		Sap shared Service Framework Sap
Summary		(es) SAP Shared Service Framework no realiza la verificación de autorización necesaria para un usuario autenticado, lo que resulta en una escalada de privilegios. Si la explotación tiene éxito, un atacante puede causar un gran impacto en la confidencialidad de la aplicación.

13 Aug 2024, 04:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-13 04:15

Updated : 2024-09-12 13:43

NVD link : CVE-2024-42376

Mitre link : CVE-2024-42376

CVE.ORG link : CVE-2024-42376

JSON object : View

Products Affected

sap

shared_service_framework

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-42376", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-08-13T04:15:10.837", "references": [{"url": "https://me.sap.com/notes/3474590", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://url.sap/sapsecuritypatchday", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "SAP Shared Service Framework does not perform necessary\nauthorization check for an authenticated user, resulting in escalation of\nprivileges. On successful exploitation, an attacker can cause a high impact on\nconfidentiality of the application."}, {"lang": "es", "value": "SAP Shared Service Framework no realiza la verificaci\u00f3n de autorizaci\u00f3n necesaria para un usuario autenticado, lo que resulta en una escalada de privilegios. Si la explotaci\u00f3n tiene \u00e9xito, un atacante puede causar un gran impacto en la confidencialidad de la aplicaci\u00f3n."}], "lastModified": "2024-09-12T13:43:27.507", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_702:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5AC1EAA0-7B20-4B4C-9F7D-8F7832D91BCE"}, {"criteria": "cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_731:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CFE56A04-ADDE-4A27-87CA-C801DFA5CD80"}, {"criteria": "cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_746:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36822481-BB89-421A-99D5-33854E6080B9"}, {"criteria": "cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_747:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BA0ED8A-F75D-49DF-BD37-CD3273E2F8E4"}, {"criteria": "cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_748:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6852223A-C675-4F29-92E4-90092DBDF11E"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}