CVE-2024-42377

SAP shared service framework allows an authenticated non-administrative user to call a remote-enabled function, which will allow them to insert value entries into a non-sensitive table, causing low impact on integrity of the application

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://me.sap.com/notes/3474590	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_702:::::::*
	cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_731:::::::*
	cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_746:::::::*
	cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_747:::::::*
	cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_748:::::::*

History

12 Sep 2024, 13:42

Type	Values Removed	Values Added
First Time		Sap shared Service Framework Sap
Summary		(es) El framework de servicios compartidos de SAP permite a un usuario no administrativo autenticado llamar a una función habilitada de forma remota, lo que le permitirá insertar entradas de valores en una tabla no confidencial, lo que causa un bajo impacto en la integridad de la aplicación.
References	~~() https://me.sap.com/notes/3474590 -~~	() https://me.sap.com/notes/3474590 - Permissions Required
References	~~() https://url.sap/sapsecuritypatchday -~~	() https://url.sap/sapsecuritypatchday - Vendor Advisory
CPE		cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_746:::::::* cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_747:::::::* cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_748:::::::* cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_702:::::::* cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_731:::::::*

13 Aug 2024, 04:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-13 04:15

Updated : 2024-09-12 13:42

NVD link : CVE-2024-42377

Mitre link : CVE-2024-42377

CVE.ORG link : CVE-2024-42377

JSON object : View

Products Affected

sap

shared_service_framework

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-42377", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-08-13T04:15:11.290", "references": [{"url": "https://me.sap.com/notes/3474590", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://url.sap/sapsecuritypatchday", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "SAP shared service framework allows an\nauthenticated non-administrative user to call a remote-enabled function, which\nwill allow them to insert value entries into a non-sensitive table, causing low\nimpact on integrity of the application"}, {"lang": "es", "value": "El framework de servicios compartidos de SAP permite a un usuario no administrativo autenticado llamar a una funci\u00f3n habilitada de forma remota, lo que le permitir\u00e1 insertar entradas de valores en una tabla no confidencial, lo que causa un bajo impacto en la integridad de la aplicaci\u00f3n."}], "lastModified": "2024-09-12T13:42:11.890", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_702:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5AC1EAA0-7B20-4B4C-9F7D-8F7832D91BCE"}, {"criteria": "cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_731:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CFE56A04-ADDE-4A27-87CA-C801DFA5CD80"}, {"criteria": "cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_746:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36822481-BB89-421A-99D5-33854E6080B9"}, {"criteria": "cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_747:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BA0ED8A-F75D-49DF-BD37-CD3273E2F8E4"}, {"criteria": "cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_748:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6852223A-C675-4F29-92E4-90092DBDF11E"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}