Vulnerability-Lookup

CVE-2024-39592 (GCVE-0-2024-39592)

Vulnerability from cvelistv5 – Published: 2024-07-09 03:45 – Updated: 2024-08-02 04:26

Title

[CVE-2024-39592] Missing Authorization check in SAP PDCE

Summary

Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application.

Severity ?

7.7 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-862 - Missing Authorization

Assigner

sap

References

URL

Tags

	https://url.sap/sapsecuritypatchday
	https://me.sap.com/notes/3483344

Impacted products

	Vendor	Product	Version
	SAP_SE	SAP PDCE	Affected: S4CORE 102 Affected: S4CORE 103 Affected: S4COREOP 104 Affected: S4COREOP 105 Affected: S4COREOP 106 Affected: S4COREOP 107 Affected: S4COREOP 108

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:sap_se:sap_pdce:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "sap_pdce",
            "vendor": "sap_se",
            "versions": [
              {
                "status": "affected",
                "version": "S4CORE 102"
              },
              {
                "status": "affected",
                "version": "S4CORE 103"
              },
              {
                "status": "affected",
                "version": "S4COREOP 104"
              },
              {
                "status": "affected",
                "version": "S4COREOP 105"
              },
              {
                "status": "affected",
                "version": "S4COREOP 106"
              },
              {
                "status": "affected",
                "version": "S4COREOP 107"
              },
              {
                "status": "affected",
                "version": "S4COREOP 108"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-39592",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-24T18:22:20.617499Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-24T18:33:09.047Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:26:15.969Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://url.sap/sapsecuritypatchday"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://me.sap.com/notes/3483344"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP PDCE",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "S4CORE 102"
            },
            {
              "status": "affected",
              "version": "S4CORE 103"
            },
            {
              "status": "affected",
              "version": "S4COREOP 104"
            },
            {
              "status": "affected",
              "version": "S4COREOP 105"
            },
            {
              "status": "affected",
              "version": "S4COREOP 106"
            },
            {
              "status": "affected",
              "version": "S4COREOP 107"
            },
            {
              "status": "affected",
              "version": "S4COREOP 108"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eElements of PDCE does not perform necessary\nauthorization checks for an authenticated user, resulting in escalation of\nprivileges.\u003c/p\u003e\n\nThis\nallows an attacker to read sensitive information causing high impact on the\nconfidentiality of the application.\n\n\n\n"
            }
          ],
          "value": "Elements of PDCE does not perform necessary\nauthorization checks for an authenticated user, resulting in escalation of\nprivileges.\n\n\n\nThis\nallows an attacker to read sensitive information causing high impact on the\nconfidentiality of the application."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-09T03:45:56.018Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://url.sap/sapsecuritypatchday"
        },
        {
          "url": "https://me.sap.com/notes/3483344"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "[CVE-2024-39592] Missing Authorization check in SAP PDCE",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2024-39592",
    "datePublished": "2024-07-09T03:45:56.018Z",
    "dateReserved": "2024-06-26T09:58:24.095Z",
    "dateUpdated": "2024-08-02T04:26:15.969Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-39592\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-24T18:22:20.617499Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:sap_se:sap_pdce:*:*:*:*:*:*:*:*\"], \"vendor\": \"sap_se\", \"product\": \"sap_pdce\", \"versions\": [{\"status\": \"affected\", \"version\": \"S4CORE 102\"}, {\"status\": \"affected\", \"version\": \"S4CORE 103\"}, {\"status\": \"affected\", \"version\": \"S4COREOP 104\"}, {\"status\": \"affected\", \"version\": \"S4COREOP 105\"}, {\"status\": \"affected\", \"version\": \"S4COREOP 106\"}, {\"status\": \"affected\", \"version\": \"S4COREOP 107\"}, {\"status\": \"affected\", \"version\": \"S4COREOP 108\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-24T18:31:14.221Z\"}}], \"cna\": {\"title\": \"[CVE-2024-39592] Missing Authorization check in SAP PDCE\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SAP_SE\", \"product\": \"SAP PDCE\", \"versions\": [{\"status\": \"affected\", \"version\": \"S4CORE 102\"}, {\"status\": \"affected\", \"version\": \"S4CORE 103\"}, {\"status\": \"affected\", \"version\": \"S4COREOP 104\"}, {\"status\": \"affected\", \"version\": \"S4COREOP 105\"}, {\"status\": \"affected\", \"version\": \"S4COREOP 106\"}, {\"status\": \"affected\", \"version\": \"S4COREOP 107\"}, {\"status\": \"affected\", \"version\": \"S4COREOP 108\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://url.sap/sapsecuritypatchday\"}, {\"url\": \"https://me.sap.com/notes/3483344\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Elements of PDCE does not perform necessary\\nauthorization checks for an authenticated user, resulting in escalation of\\nprivileges.\\n\\n\\n\\nThis\\nallows an attacker to read sensitive information causing high impact on the\\nconfidentiality of the application.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eElements of PDCE does not perform necessary\\nauthorization checks for an authenticated user, resulting in escalation of\\nprivileges.\u003c/p\u003e\\n\\nThis\\nallows an attacker to read sensitive information causing high impact on the\\nconfidentiality of the application.\\n\\n\\n\\n\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"shortName\": \"sap\", \"dateUpdated\": \"2024-07-09T03:45:56.018Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-39592\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-07-24T18:33:09.047Z\", \"dateReserved\": \"2024-06-26T09:58:24.095Z\", \"assignerOrgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"datePublished\": \"2024-07-09T03:45:56.018Z\", \"assignerShortName\": \"sap\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2025-AVI-0190

Vulnerability from certfr_avis - Published: 2025-03-11 - Updated: 2025-03-11

De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une injection de code indirecte à distance (XSS) et un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
SAP	N/A	Electronic Invoicing for Brazil (eDocument Cockpit) versions SAP_APPL 617, 618, S4CORE 102, 103, 104, 105, 106, 107 et 108 sans le dernier correctif de sécurité
SAP	N/A	Just In Time versions S4CORE 102, 103, 104, 105, 106, 107, 108 et ECC-DIMP 618 sans le dernier correctif de sécurité
SAP	N/A	NetWeaver Application Server ABAP versions SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 914 sans le dernier correctif de sécurité
SAP	N/A	Business Objects Business Intelligence Platform versions ENTERPRISE 430, 2025,2027, ENTERPRISECLIENTTOOLS 430 et 2025 sans le dernier correctif de sécurité
SAP	N/A	Permit to Work versions UIS4HOP1 800 et 900 sans le dernier correctif de sécurité
SAP	N/A	Commerce Cloud et Datahub, versions Y_COM 2205, HY_DHUB 2205, COM_CLOUD 2211 et DHUB_CLOUD 2211 sans le dernier correctif de sécurité
SAP	N/A	NetWeaver Application Server ABAP (applications based on GUI for HTML) versions KRNL64UC 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.89, KERNEL 7.93 et KERNEL 9.14 sans le dernier correctif de sécurité
SAP	N/A	Commerce Cloud versions Y-COM 2205 et COM-CLOUD 2211 sans le dernier correctif de sécurité
SAP	N/A	NetWeaver (ABAP Class Builder) versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 914 sans le dernier correctif de sécurité
SAP	N/A	Web Dispatcher et Internet Communication Manager versions KRNL64UC 7.53, WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.89, WEBDISP 7.93, KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.89, KERNEL 7.93 et KERNEL 9.14 sans le dernier correctif de sécurité
SAP	N/A	PDCE versions S4CORE 102, 103, S4COREOP 104, 105, 106, 107 et 108 sans le dernier correctif de sécurité
SAP	N/A	NetWeaver Enterprise Portal (OBN component) version EP-RUNTIME 7.50 sans le dernier correctif de sécurité
SAP	N/A	Business One (Service Layer) versions B1_ON_HANA 10.0 et SAP-M-BO 10.0 sans le dernier correctif de sécurité
SAP	N/A	Fiori apps (Posting Library) versions S4CORE 103, 104, 105, 106, 107 et 108 sans le dernier correctif de sécurité
SAP	N/A	NetWeaver Application Server Java version AJAX-RUNTIME 7.50 sans le dernier correctif de sécurité
SAP	N/A	CRM et S/4HANA (Interaction Center) versions S4CRM 100, 200, 204, 205, 206, S4FND 102, 103, 104, 105, 106, 107, 108, S4CEXT 107, 108, BBPCRM 701, 702, 712, 713, 714, WEBCUIF 701, 731, 746, 747, 748, 800 et 801 sans le dernier correctif de sécurité
SAP	N/A	Business Objects Business Intelligence Platform (Web Intelligence) versions ENTERPRISE 430 et 2025 sans le dernier correctif de sécurité
SAP	N/A	Business Warehouse (Process Chains) versions DW4CORE 100, DW4CORE 200, DW4CORE 300, DW4CORE 400, DW4CORE 914, SAP_BW 730, SAP_BW 731, SAP_BW 740 et SAP_BW 750 sans le dernier correctif de sécurité
SAP	N/A	S/4HANA (RBD) versions S4CORE 102, 103, 104, 105, 106, 107, 108, EA-FINSERV 618 et EA-FINSERV 800 sans le dernier correctif de sécurité
SAP	N/A	Bibliothèque @sap/approuter versions antérieures à 16.7.1
SAP	N/A	Commerce (Swagger UI) version COM_CLOUD 2211 sans le dernier correctif de sécurité
SAP	N/A	S/4HANA (Manage Bank Statements) versions S4CORE 107 et S4CORE 108 sans le dernier correctif de sécurité

References

Title

Publication Time

Tags

Bulletin de sécurité SAP march-2025

2025-03-11

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Electronic Invoicing for Brazil (eDocument Cockpit) versions SAP_APPL 617, 618, S4CORE 102, 103, 104, 105, 106, 107 et 108 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Just In Time versions S4CORE 102, 103, 104, 105, 106, 107, 108 et ECC-DIMP 618 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver Application Server ABAP versions SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 914 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Business Objects Business Intelligence Platform versions ENTERPRISE 430, 2025,2027, ENTERPRISECLIENTTOOLS 430 et 2025 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Permit to Work versions UIS4HOP1 800 et 900 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Commerce Cloud et Datahub, versions Y_COM 2205, HY_DHUB 2205, COM_CLOUD 2211 et DHUB_CLOUD 2211 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver Application Server ABAP (applications based on GUI for HTML) versions KRNL64UC 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.89, KERNEL 7.93 et KERNEL 9.14 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Commerce Cloud versions Y-COM 2205 et COM-CLOUD 2211 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver (ABAP Class Builder) versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 914 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Web Dispatcher et Internet Communication Manager versions KRNL64UC 7.53, WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.89, WEBDISP 7.93, KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.89, KERNEL 7.93 et KERNEL 9.14 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "PDCE versions S4CORE 102, 103, S4COREOP 104, 105, 106, 107 et 108 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver Enterprise Portal (OBN component) version EP-RUNTIME 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Business One (Service Layer) versions B1_ON_HANA 10.0 et SAP-M-BO 10.0 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Fiori apps (Posting Library) versions S4CORE 103, 104, 105, 106, 107 et 108 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver Application Server Java version AJAX-RUNTIME 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "CRM et S/4HANA (Interaction Center) versions S4CRM 100, 200, 204, 205, 206, S4FND 102, 103, 104, 105, 106, 107, 108, S4CEXT 107, 108, BBPCRM 701, 702, 712, 713, 714, WEBCUIF 701, 731, 746, 747, 748, 800 et 801 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Business Objects Business Intelligence Platform (Web Intelligence) versions ENTERPRISE 430 et 2025 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Business Warehouse (Process Chains) versions DW4CORE 100, DW4CORE 200, DW4CORE 300, DW4CORE 400, DW4CORE 914, SAP_BW 730, SAP_BW 731, SAP_BW 740 et SAP_BW 750 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "S/4HANA (RBD) versions S4CORE 102, 103, 104, 105, 106, 107, 108, EA-FINSERV 618 et EA-FINSERV 800 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Biblioth\u00e8que @sap/approuter versions ant\u00e9rieures \u00e0 16.7.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Commerce (Swagger UI) version COM_CLOUD 2211 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "S/4HANA (Manage Bank Statements) versions S4CORE 107 et S4CORE 108 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-26661",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-26661"
    },
    {
      "name": "CVE-2025-27433",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27433"
    },
    {
      "name": "CVE-2024-38286",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38286"
    },
    {
      "name": "CVE-2025-25245",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25245"
    },
    {
      "name": "CVE-2024-38819",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38819"
    },
    {
      "name": "CVE-2025-23194",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23194"
    },
    {
      "name": "CVE-2025-26660",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-26660"
    },
    {
      "name": "CVE-2025-25244",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25244"
    },
    {
      "name": "CVE-2024-38820",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38820"
    },
    {
      "name": "CVE-2025-26658",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-26658"
    },
    {
      "name": "CVE-2025-24876",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-24876"
    },
    {
      "name": "CVE-2025-23188",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23188"
    },
    {
      "name": "CVE-2025-27434",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27434"
    },
    {
      "name": "CVE-2025-0062",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0062"
    },
    {
      "name": "CVE-2025-26659",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-26659"
    },
    {
      "name": "CVE-2024-41736",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41736"
    },
    {
      "name": "CVE-2025-27432",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27432"
    },
    {
      "name": "CVE-2025-26656",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-26656"
    },
    {
      "name": "CVE-2025-23185",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23185"
    },
    {
      "name": "CVE-2025-25242",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25242"
    },
    {
      "name": "CVE-2025-27430",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27430"
    },
    {
      "name": "CVE-2025-27431",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27431"
    },
    {
      "name": "CVE-2025-26655",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-26655"
    },
    {
      "name": "CVE-2024-39592",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39592"
    },
    {
      "name": "CVE-2025-0071",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0071"
    },
    {
      "name": "CVE-2025-27436",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27436"
    },
    {
      "name": "CVE-2024-52316",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-52316"
    }
  ],
  "initial_release_date": "2025-03-11T00:00:00",
  "last_revision_date": "2025-03-11T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0190",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-03-11T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une injection de code indirecte \u00e0 distance (XSS) et un contournement de la politique de s\u00e9curit\u00e9.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": "2025-03-11",
      "title": "Bulletin de s\u00e9curit\u00e9 SAP march-2025",
      "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/march-2025.html"
    }
  ]
}

CERTFR-2025-AVI-0396

Vulnerability from certfr_avis - Published: 2025-05-13 - Updated: 2025-06-12

De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
SAP	S/4HANA	S/4HANA HCM Portugal and SAP ERP HCM Portugal versions S4HCMCPT 100, 101, SAP_HRCPT 600, 604 et 608
SAP	N/A	Service Parts Management (SPM) versions SAP_APPL 600, 602, 603, 604, 605, 606, 616, 617, 618, SAPSCORE 111, S4CORE 100, 101 et 102
SAP	NetWeaver	NetWeaver (Visual Composer development server) version VCFRAMEWORK 7.50
SAP	N/A	Supplier Relationship Management (Master Data Management Catalog) version SRM_MDM_CAT 7.52
SAP	Business Objects Business Intelligence Platform	BusinessObjects Business Intelligence Platform versions ENTERPRISE 420, 430 et 2025
SAP	N/A	Business Objects Business Intelligence Platform (PMW) versions ENTERPRISE 430, 2025 et 2027
SAP	NetWeaver Application Server ABAP et ABAP Platform	NetWeaver Application Server ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758
SAP	N/A	Data Services Management Console version SBOP DS JOB SERVER 4.3
SAP	N/A	Digital Manufacturing (Production Operator Dashboard) version CTNR-DME-PODFOUNDATION-MS 1.0
SAP	N/A	Fiori for SAP ERP versions SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757 et 758
SAP	S/4HANA	S4/HANA (OData meta-data property) versions S4CORE 102, 103, 104, 105 et 106
SAP	S/4HANA	S/4HANA (Private Cloud & On-Premise) versions S4CRM 204, 205, 206, S4CEXT 107, 108, BBPCRM 702, 712, 713, 714
SAP	S/4HANA	S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL)) versions S4CORE 102, 103, 104, 105, 106, 107, 108, SCM_BASIS 700, 701, 702, 712, 713 et 714
SAP	N/A	Gateway Client versions SAP_GWFND 752, 753, 754, 755, 756, 757 et 758
SAP	N/A	Supplier Relationship Management (Live Auction Cockpit) version SRM_SERVER 7.14
SAP	N/A	Service Parts Management (SPM) versions SAP_APPL 617, 618, SAPSCORE 116, S4CORE 100, 101, 102 et 103
SAP	N/A	PDCE versions S4CORE 102, 103, S4COREOP 104, 105, 106, 107 et 108
SAP	N/A	Landscape Transformation (PCL Basis) versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752, 2020, S4CORE 102, 103, 104, 105, 106, 107 et 108
SAP	N/A	GUI for Windows version BC-FES-GUI 8.00

References

Title

Publication Time

Tags

Bulletin de sécurité SAP may-2025

2025-05-13

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "S/4HANA HCM Portugal and SAP ERP HCM Portugal versions S4HCMCPT 100, 101, SAP_HRCPT 600, 604 et 608",
      "product": {
        "name": "S/4HANA",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Service Parts Management (SPM) versions SAP_APPL 600, 602, 603, 604, 605, 606, 616, 617, 618, SAPSCORE 111, S4CORE 100, 101 et 102",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver (Visual Composer development server) version VCFRAMEWORK 7.50",
      "product": {
        "name": "NetWeaver",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Supplier Relationship Management (Master Data Management Catalog) version SRM_MDM_CAT 7.52",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "BusinessObjects Business Intelligence Platform versions ENTERPRISE 420, 430 et 2025",
      "product": {
        "name": "Business Objects Business Intelligence Platform",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Business Objects Business Intelligence Platform (PMW) versions ENTERPRISE 430, 2025 et 2027",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver Application Server ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758",
      "product": {
        "name": "NetWeaver Application Server ABAP et ABAP Platform",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Data Services Management Console version SBOP DS JOB SERVER 4.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Digital Manufacturing (Production Operator Dashboard) version CTNR-DME-PODFOUNDATION-MS 1.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Fiori for SAP ERP versions SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757 et 758",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "S4/HANA (OData meta-data property) versions S4CORE 102, 103, 104, 105 et 106",
      "product": {
        "name": "S/4HANA",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "S/4HANA (Private Cloud \u0026 On-Premise) versions S4CRM 204, 205, 206, S4CEXT 107, 108, BBPCRM 702, 712, 713, 714",
      "product": {
        "name": "S/4HANA",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL)) versions S4CORE 102, 103, 104, 105, 106, 107, 108, SCM_BASIS 700, 701, 702, 712, 713 et 714",
      "product": {
        "name": "S/4HANA",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Gateway Client versions SAP_GWFND 752, 753, 754, 755, 756, 757 et 758",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Supplier Relationship Management (Live Auction Cockpit) version SRM_SERVER 7.14",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Service Parts Management (SPM) versions SAP_APPL 617, 618, SAPSCORE 116, S4CORE 100, 101, 102 et 103",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "PDCE versions S4CORE 102, 103, S4COREOP 104, 105, 106, 107 et 108",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Landscape Transformation (PCL Basis) versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752, 2020, S4CORE 102, 103, 104, 105, 106, 107 et 108",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "GUI for Windows version BC-FES-GUI 8.00",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-43003",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43003"
    },
    {
      "name": "CVE-2025-43007",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43007"
    },
    {
      "name": "CVE-2025-23191",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23191"
    },
    {
      "name": "CVE-2025-42999",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-42999"
    },
    {
      "name": "CVE-2025-43009",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43009"
    },
    {
      "name": "CVE-2025-43011",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43011"
    },
    {
      "name": "CVE-2025-43006",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43006"
    },
    {
      "name": "CVE-2025-0060",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0060"
    },
    {
      "name": "CVE-2025-30012",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30012"
    },
    {
      "name": "CVE-2025-43000",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43000"
    },
    {
      "name": "CVE-2025-43004",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43004"
    },
    {
      "name": "CVE-2025-31324",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-31324"
    },
    {
      "name": "CVE-2025-43005",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43005"
    },
    {
      "name": "CVE-2025-43008",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43008"
    },
    {
      "name": "CVE-2025-31329",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-31329"
    },
    {
      "name": "CVE-2025-30009",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30009"
    },
    {
      "name": "CVE-2025-30011",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30011"
    },
    {
      "name": "CVE-2025-43002",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43002"
    },
    {
      "name": "CVE-2025-26662",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-26662"
    },
    {
      "name": "CVE-2025-30010",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30010"
    },
    {
      "name": "CVE-2025-42997",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-42997"
    },
    {
      "name": "CVE-2025-0061",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0061"
    },
    {
      "name": "CVE-2025-43010",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43010"
    },
    {
      "name": "CVE-2024-39592",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39592"
    },
    {
      "name": "CVE-2025-30018",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30018"
    }
  ],
  "initial_release_date": "2025-05-13T00:00:00",
  "last_revision_date": "2025-06-12T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0396",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-05-13T00:00:00.000000"
    },
    {
      "description": "Ajout des identifiants CVE CVE-2025-0060, CVE-2025-0061 et CVE-2025-23191",
      "revision_date": "2025-06-12T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": "2025-05-13",
      "title": "Bulletin de s\u00e9curit\u00e9 SAP may-2025",
      "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2025.html"
    }
  ]
}

CERTFR-2024-AVI-0844

Vulnerability from certfr_avis - Published: 2024-10-08 - Updated: 2024-10-08

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
SAP	NetWeaver BW	NetWeaver BW (BEx Analyzer) versions DW4CORE 200, DW4CORE 300, DW4CORE 400, SAP_BW 700, SAP_BW 701, SAP_BW 702, SAP_BW 731, SAP_BW 740, SAP_BW 750, SAP_BW 751, SAP_BW 752, SAP_BW 753, SAP_BW 754, SAP_BW 755, SAP_BW 756, SAP_BW 757 et SAP_BW 758 sans le dernier correctif de sécurité
SAP	N/A	Commerce Backoffice versions HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de sécurité
SAP	N/A	S/4 HANA (Manage Bank Statements) versions S4CORE, 102, 103, 104, 105, 106 et 107 sans le dernier correctif de sécurité
SAP	N/A	Student Life Cycle Management (SLcM) versions IS-PS-CA 617, 618, 802, 803, 804, 805, 806, 807 et 808 sans le dernier correctif de sécurité
SAP	NetWeaver Enterprise Portal	NetWeaver Enterprise Portal (KMC) version KMC-BC 7.5 sans le dernier correctif de sécurité
SAP	N/A	PDCE versions S4CORE 102, 103, S4COREOP 104, 105, 106, 107 et 108 sans le dernier correctif de sécurité
SAP	N/A	BusinessObjects Business Intelligence Platform (Web Intelligence) versions ENTERPRISE 420, 430, 2025, ENTERPRISECLIENTTOOLS 420, 430 et 2025 sans le dernier correctif de sécurité
SAP	N/A	HANA Client version HDB_CLIENT 2.0 sans le dernier correctif de sécurité
SAP	N/A	NetWeaver AS for Java version 7.50 sans le dernier correctif de sécurité
SAP	N/A	SAP NetWeaver Application Server pour plateformes ABAP et ABAP versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de sécurité
SAP	N/A	Enterprise Project Connection version 3.0 sans le dernier correctif de sécurité
SAP	N/A	BusinessObjects Business Intelligence Platform versions ENTERPRISE 420, 430 et 440 sans le dernier correctif de sécurité

References

Title

Publication Time

Tags

Bulletin de sécurité SAP october-2024

2024-10-08

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "NetWeaver BW (BEx Analyzer) versions DW4CORE 200, DW4CORE 300, DW4CORE 400, SAP_BW 700, SAP_BW 701, SAP_BW 702, SAP_BW 731, SAP_BW 740, SAP_BW 750, SAP_BW 751, SAP_BW 752, SAP_BW 753, SAP_BW 754, SAP_BW 755, SAP_BW 756, SAP_BW 757 et SAP_BW 758 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "NetWeaver BW",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Commerce Backoffice versions HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "S/4 HANA (Manage Bank Statements) versions S4CORE, 102, 103, 104, 105, 106 et 107 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Student Life Cycle Management (SLcM) versions IS-PS-CA 617, 618, 802, 803, 804, 805, 806, 807 et 808 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver Enterprise Portal (KMC) version KMC-BC 7.5 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "NetWeaver Enterprise Portal",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "PDCE versions S4CORE 102, 103, S4COREOP 104, 105, 106, 107 et 108 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "BusinessObjects Business Intelligence Platform (Web Intelligence) versions ENTERPRISE 420, 430, 2025, ENTERPRISECLIENTTOOLS 420, 430 et 2025 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "HANA Client version HDB_CLIENT 2.0 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver AS for Java version 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver Application Server pour plateformes ABAP et ABAP versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Enterprise Project Connection version 3.0 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "BusinessObjects Business Intelligence Platform versions ENTERPRISE 420, 430 et 440 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-45282",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45282"
    },
    {
      "name": "CVE-2024-42373",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-42373"
    },
    {
      "name": "CVE-2024-38809",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38809"
    },
    {
      "name": "CVE-2024-41729",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41729"
    },
    {
      "name": "CVE-2024-37180",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-37180"
    },
    {
      "name": "CVE-2024-45278",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45278"
    },
    {
      "name": "CVE-2024-45283",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45283"
    },
    {
      "name": "CVE-2024-45277",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45277"
    },
    {
      "name": "CVE-2024-38808",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38808"
    },
    {
      "name": "CVE-2024-47594",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47594"
    },
    {
      "name": "CVE-2022-23302",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302"
    },
    {
      "name": "CVE-2024-22259",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22259"
    },
    {
      "name": "CVE-2024-39592",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39592"
    },
    {
      "name": "CVE-2024-41730",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41730"
    },
    {
      "name": "CVE-2024-37179",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-37179"
    }
  ],
  "initial_release_date": "2024-10-08T00:00:00",
  "last_revision_date": "2024-10-08T00:00:00",
  "links": [],
  "reference": "CERTFR-2024-AVI-0844",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-10-08T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une injection de code indirecte \u00e0 distance (XSS) et un contournement de la politique de s\u00e9curit\u00e9.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": "2024-10-08",
      "title": "Bulletin de s\u00e9curit\u00e9 SAP october-2024",
      "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2024.html"
    }
  ]
}

CERTFR-2024-AVI-0554

Vulnerability from certfr_avis - Published: 2024-07-09 - Updated: 2024-07-09

De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et une injection de code indirecte à distance (XSS).

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
SAP	N/A	Enable Now versions antérieures à WPB_MANAGER_HANA 10 sans le dernier correctif de sécurité
SAP	N/A	Business Workflow (WebFlow Services) versions antérieures à SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757 et 758 sans le dernier correctif de sécurité
SAP	N/A	Enable Now versions antérieures à WPB_MANAGER_CE 10 sans le dernier correctif de sécurité
SAP	N/A	Business Warehouse - Business Planning and Simulation versions antérieures à SAP_BW 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758 sans le dernier correctif de sécurité
SAP	N/A	Commerce versions antérieures à HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de sécurité
SAP	N/A	Enable Now versions antérieures à ENABLE_NOW_CONSUMP_DEL 1704 sans le dernier correctif de sécurité
SAP	N/A	CRM WebClient UI versions antérieures à S4FND 102, 103, 104, 105, 106, 107 et 108 sans le dernier correctif de sécurité WEBCUIF 701, 731, 746, 747, 748, 800, 801
SAP	N/A	CRM WebClient UI versions antérieures à S4FND 104 sans le dernier correctif de sécurité
SAP	N/A	PDCE versions antérieures à S4CORE 102 et 103 sans le dernier correctif de sécurité
SAP	N/A	Business Warehouse - Business Planning and Simulation versions antérieures à SAP_BW_VIRTUAL_COMP 701 sans le dernier correctif de sécurité
SAP	N/A	S/4HANA Finance (Advanced Payment Management) versions antérieures à S4CORE 107 et 108 sans le dernier correctif de sécurité
SAP	N/A	NetWeaver Application Server for ABAP and ABAP Platform versions antérieures à SAP_BASIS 700,701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 795 et 796 sans le dernier correctif de sécurité
SAP	N/A	GUI pour Windows versions antérieures à BC-FES-GUI 8 sans le dernier correctif de sécurité
SAP	N/A	NetWeaver Knowledge Management XMLEditor versions antérieures à KMC-WPC 7.50 sans le dernier correctif de sécurité
SAP	N/A	CRM WebClient UI versions antérieures à WEBCUIF 701, 731, 746, 747, 748, 800, 801 sans le dernier correctif de sécurité
SAP	N/A	PDCE versions antérieures à S4COREOP 104, 105, 106, 107 et 108 sans le dernier correctif de sécurité

References

Title

Publication Time

Tags

Bulletin de sécurité SAP

2024-07-08

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Enable Now versions ant\u00e9rieures \u00e0 WPB_MANAGER_HANA 10 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Business Workflow (WebFlow Services) versions ant\u00e9rieures \u00e0 SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757 et 758 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Enable Now versions ant\u00e9rieures \u00e0 WPB_MANAGER_CE 10 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Business Warehouse - Business Planning and Simulation versions ant\u00e9rieures \u00e0 SAP_BW 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Commerce versions ant\u00e9rieures \u00e0 HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Enable Now versions ant\u00e9rieures \u00e0 ENABLE_NOW_CONSUMP_DEL 1704 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "CRM WebClient UI versions ant\u00e9rieures \u00e0 S4FND 102, 103, 104, 105, 106, 107 et 108 sans le dernier correctif de s\u00e9curit\u00e9 WEBCUIF 701, 731, 746, 747, 748, 800, 801",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "CRM WebClient UI versions ant\u00e9rieures \u00e0 S4FND 104 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "PDCE versions ant\u00e9rieures \u00e0 S4CORE 102 et 103 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Business Warehouse - Business Planning and Simulation versions ant\u00e9rieures \u00e0 SAP_BW_VIRTUAL_COMP 701 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "S/4HANA Finance (Advanced Payment Management) versions ant\u00e9rieures \u00e0 S4CORE 107 et 108 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver Application Server for ABAP and ABAP Platform versions ant\u00e9rieures \u00e0 SAP_BASIS 700,701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 795 et 796 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "GUI pour Windows versions ant\u00e9rieures \u00e0 BC-FES-GUI 8 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver Knowledge Management XMLEditor versions ant\u00e9rieures \u00e0 KMC-WPC 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "CRM WebClient UI versions ant\u00e9rieures \u00e0 WEBCUIF 701, 731, 746, 747, 748, 800, 801 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "PDCE versions ant\u00e9rieures \u00e0 S4COREOP 104, 105,\n106, 107 et 108 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-34689",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34689"
    },
    {
      "name": "CVE-2024-37174",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-37174"
    },
    {
      "name": "CVE-2024-39597",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39597"
    },
    {
      "name": "CVE-2024-37171",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-37171"
    },
    {
      "name": "CVE-2024-37172",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-37172"
    },
    {
      "name": "CVE-2024-34685",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34685"
    },
    {
      "name": "CVE-2024-39596",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39596"
    },
    {
      "name": "CVE-2024-34683",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34683"
    },
    {
      "name": "CVE-2024-37180",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-37180"
    },
    {
      "name": "CVE-2024-39600",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39600"
    },
    {
      "name": "CVE-2024-37175",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-37175"
    },
    {
      "name": "CVE-2024-39594",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39594"
    },
    {
      "name": "CVE-2024-37173",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-37173"
    },
    {
      "name": "CVE-2024-39599",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39599"
    },
    {
      "name": "CVE-2024-39598",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39598"
    },
    {
      "name": "CVE-2024-39593",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39593"
    },
    {
      "name": "CVE-2024-39592",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39592"
    },
    {
      "name": "CVE-2024-34692",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34692"
    },
    {
      "name": "CVE-2024-39595",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39595"
    }
  ],
  "initial_release_date": "2024-07-09T00:00:00",
  "last_revision_date": "2024-07-09T00:00:00",
  "links": [],
  "reference": "CERTFR-2024-AVI-0554",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-07-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": "2024-07-08",
      "title": "Bulletin de s\u00e9curit\u00e9 SAP",
      "url": "https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/knowledge-base/security-notes-news/2024%2007%20Patch%20Day%20Blog%20V1.pdf"
    }
  ]
}

GHSA-JGMC-5Q6M-58CH

Vulnerability from github – Published: 2024-07-09 06:30 – Updated: 2024-07-09 06:30

Details

Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

This allows an attacker to read sensitive information causing high impact on the confidentiality of the application.

Severity ?

7.7 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-39592"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T04:15:13Z",
    "severity": "HIGH"
  },
  "details": "Elements of PDCE does not perform necessary\nauthorization checks for an authenticated user, resulting in escalation of\nprivileges.\n\n\n\nThis\nallows an attacker to read sensitive information causing high impact on the\nconfidentiality of the application.",
  "id": "GHSA-jgmc-5q6m-58ch",
  "modified": "2024-07-09T06:30:38Z",
  "published": "2024-07-09T06:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39592"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3483344"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CNVD-2024-49635

Vulnerability from cnvd - Published: 2024-12-30

Title

SAP PDCE授权问题漏洞

Description

SAP PDCE是德国思爱普（SAP）公司的一种解决方案。旨在帮助企业管理和优化个人数据的整合和丰富过程。 SAP PDCE存在授权问题漏洞，该漏洞源于没有对经过身份验证的用户执行必要的授权检查，攻击者可利用该漏洞读取对应用程序机密性产生高影响的敏感信息。

Severity

中

Patch Name

SAP PDCE授权问题漏洞的补丁

Patch Description

SAP PDCE是德国思爱普（SAP）公司的一种解决方案。旨在帮助企业管理和优化个人数据的整合和丰富过程。 SAP PDCE存在授权问题漏洞，该漏洞源于没有对经过身份验证的用户执行必要的授权检查，攻击者可利用该漏洞读取对应用程序机密性产生高影响的敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://me.sap.com/notes/3483344

Reference

https://nvd.nist.gov/vuln/detail/CVE-2024-39592

Impacted products

Name
SAP SAP PDCE

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-39592",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-39592"
    }
  },
  "description": "SAP PDCE\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u79cd\u89e3\u51b3\u65b9\u6848\u3002\u65e8\u5728\u5e2e\u52a9\u4f01\u4e1a\u7ba1\u7406\u548c\u4f18\u5316\u4e2a\u4eba\u6570\u636e\u7684\u6574\u5408\u548c\u4e30\u5bcc\u8fc7\u7a0b\u3002\n\nSAP PDCE\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u6ca1\u6709\u5bf9\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u6267\u884c\u5fc5\u8981\u7684\u6388\u6743\u68c0\u67e5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u5bf9\u5e94\u7528\u7a0b\u5e8f\u673a\u5bc6\u6027\u4ea7\u751f\u9ad8\u5f71\u54cd\u7684\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://me.sap.com/notes/3483344",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-49635",
  "openTime": "2024-12-30",
  "patchDescription": "SAP PDCE\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u79cd\u89e3\u51b3\u65b9\u6848\u3002\u65e8\u5728\u5e2e\u52a9\u4f01\u4e1a\u7ba1\u7406\u548c\u4f18\u5316\u4e2a\u4eba\u6570\u636e\u7684\u6574\u5408\u548c\u4e30\u5bcc\u8fc7\u7a0b\u3002\r\n\r\nSAP PDCE\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u6ca1\u6709\u5bf9\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u6267\u884c\u5fc5\u8981\u7684\u6388\u6743\u68c0\u67e5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u5bf9\u5e94\u7528\u7a0b\u5e8f\u673a\u5bc6\u6027\u4ea7\u751f\u9ad8\u5f71\u54cd\u7684\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP PDCE\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "SAP SAP PDCE"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-39592",
  "serverity": "\u4e2d",
  "submitTime": "2024-07-19",
  "title": "SAP PDCE\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

FKIE_CVE-2024-39592

Vulnerability from fkie_nvd - Published: 2024-07-09 04:15 - Updated: 2024-11-21 09:28

Severity ?

7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
cna@sap.com	https://me.sap.com/notes/3483344	Permissions Required
cna@sap.com	https://url.sap/sapsecuritypatchday	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://me.sap.com/notes/3483344	Permissions Required
af854a3a-2127-422b-91ae-364da2661108	https://url.sap/sapsecuritypatchday	Vendor Advisory

Impacted products

Vendor	Product	Version
sap	s4core	102
sap	s4core	103
sap	s4coreop	104
sap	s4coreop	105
sap	s4coreop	106
sap	s4coreop	107
sap	s4coreop	108

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:s4core:102:*:*:*:*:*:*:*",
              "matchCriteriaId": "04C95A73-48EB-446C-A5F0-20E1D6BC1779",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:s4core:103:*:*:*:*:*:*:*",
              "matchCriteriaId": "1C3C9003-68A6-4886-8979-9B7D01A35E40",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:s4coreop:104:*:*:*:*:*:*:*",
              "matchCriteriaId": "666D246E-3DF3-494C-8BD6-6C2F7C0D78C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:s4coreop:105:*:*:*:*:*:*:*",
              "matchCriteriaId": "D6B6F939-A3CD-4C0C-A6E7-E3BD4ADB5288",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:s4coreop:106:*:*:*:*:*:*:*",
              "matchCriteriaId": "02AEDF75-D0D4-4221-BB40-9A8DC51FA84D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:s4coreop:107:*:*:*:*:*:*:*",
              "matchCriteriaId": "81ABE589-A7D1-42EF-B5A9-A94C8D0AE3AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:s4coreop:108:*:*:*:*:*:*:*",
              "matchCriteriaId": "7C1E9400-4CEB-4185-BC03-72B7F59DF03C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Elements of PDCE does not perform necessary\nauthorization checks for an authenticated user, resulting in escalation of\nprivileges.\n\n\n\nThis\nallows an attacker to read sensitive information causing high impact on the\nconfidentiality of the application."
    },
    {
      "lang": "es",
      "value": "Elements of PDCE no realiza las verificaciones de autorizaci\u00f3n necesarias para un usuario autenticado, lo que resulta en una escalada de privilegios. Esto permite a un atacante leer informaci\u00f3n confidencial causando un alto impacto en la confidencialidad de la aplicaci\u00f3n."
    }
  ],
  "id": "CVE-2024-39592",
  "lastModified": "2024-11-21T09:28:04.573",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 4.0,
        "source": "cna@sap.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-07-09T04:15:13.420",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://me.sap.com/notes/3483344"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://url.sap/sapsecuritypatchday"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://me.sap.com/notes/3483344"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "cna@sap.com",
      "type": "Secondary"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-39592 (GCVE-0-2024-39592)

CERTFR-2025-AVI-0190

Solutions

CERTFR-2025-AVI-0396

Solutions

CERTFR-2024-AVI-0844

Solutions

CERTFR-2024-AVI-0554

Solutions

GHSA-JGMC-5Q6M-58CH

CNVD-2024-49635

FKIE_CVE-2024-39592

Tags

Sightings

Nomenclature