Vulnerability-Lookup

CVE-2024-45277 (GCVE-0-2024-45277)

Vulnerability from cvelistv5 – Published: 2024-10-08 03:21 – Updated: 2024-10-08 14:01

Title

Prototype Pollution vulnerability in SAP HANA Client

Summary

The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes

Assigner

sap

References

URL

Tags

	https://me.sap.com/notes/3520100
	https://url.sap/sapsecuritypatchday
	https://www.npmjs.com/package/@sap/hana-client?ac…

Impacted products

	Vendor	Product	Version
	SAP_SE	SAP HANA Client	Affected: HDB_CLIENT 2.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:sap_se:sap_hana_client:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "sap_hana_client",
            "vendor": "sap_se",
            "versions": [
              {
                "status": "affected",
                "version": "HDB_CLIENT 2.0"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45277",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-08T13:59:56.396341Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-08T14:01:44.271Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP HANA Client",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "HDB_CLIENT 2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity.\u003c/p\u003e"
            }
          ],
          "value": "The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes",
              "lang": "eng",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-08T09:52:33.850Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://me.sap.com/notes/3520100"
        },
        {
          "url": "https://url.sap/sapsecuritypatchday"
        },
        {
          "url": "https://www.npmjs.com/package/@sap/hana-client?activeTab=code"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Prototype Pollution vulnerability in SAP HANA Client",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2024-45277",
    "datePublished": "2024-10-08T03:21:16.236Z",
    "dateReserved": "2024-08-26T10:39:20.931Z",
    "dateUpdated": "2024-10-08T14:01:44.271Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45277\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-08T13:59:56.396341Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:sap_se:sap_hana_client:*:*:*:*:*:*:*:*\"], \"vendor\": \"sap_se\", \"product\": \"sap_hana_client\", \"versions\": [{\"status\": \"affected\", \"version\": \"HDB_CLIENT 2.0\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-08T14:01:31.948Z\"}}], \"cna\": {\"title\": \"Prototype Pollution vulnerability in SAP HANA Client\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SAP_SE\", \"product\": \"SAP HANA Client\", \"versions\": [{\"status\": \"affected\", \"version\": \"HDB_CLIENT 2.0\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://me.sap.com/notes/3520100\"}, {\"url\": \"https://url.sap/sapsecuritypatchday\"}, {\"url\": \"https://www.npmjs.com/package/@sap/hana-client?activeTab=code\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"eng\", \"type\": \"CWE\", \"cweId\": \"CWE-1321\", \"description\": \"CWE-1321: Improperly Controlled Modification of Object Prototype Attributes\"}]}], \"providerMetadata\": {\"orgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"shortName\": \"sap\", \"dateUpdated\": \"2024-10-08T09:52:33.850Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-45277\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-08T14:01:44.271Z\", \"dateReserved\": \"2024-08-26T10:39:20.931Z\", \"assignerOrgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"datePublished\": \"2024-10-08T03:21:16.236Z\", \"assignerShortName\": \"sap\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CVE-2024-45277

Vulnerability from fstec - Published: 08.10.2024

Title

Уязвимость функции nestTables программного обеспечения для подключения баз данных SAP HANA Client, позволяющая нарушителю вызвать отказ в обслуживании

Description

Уязвимость функции nestTables программного обеспечения для подключения баз данных SAP HANA Client связана с неконтролируемым изменением атрибутов прототипа объекта. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, вызвать отказ в обслуживании

Severity ?


                    
                      AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Vendor

SAP

Software Name

SAP HANA Client

Software Version

HDB_CLIENT 2.0 (SAP HANA Client)

Possible Mitigations

Использование рекомендаций: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2024.html

Reference

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2024.html https://me.sap.com/notes/3520100 https://www.npmjs.com/package/@sap/hana-client?activeTab=code

CWE

CWE-1321

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
  "CVSS 3.0": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "SAP",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "HDB_CLIENT 2.0 (SAP HANA Client)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2024.html",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "08.10.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "24.10.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "24.10.2024",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-08515",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2024-45277",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "SAP HANA Client",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 nestTables \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u044f \u0431\u0430\u0437 \u0434\u0430\u043d\u043d\u044b\u0445 SAP HANA Client, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u0430\u044f \u043c\u043e\u0434\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u043e\u0432 \u043f\u0440\u043e\u0442\u043e\u0442\u0438\u043f\u0430 \u043e\u0431\u044a\u0435\u043a\u0442\u0430 (CWE-1321)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 nestTables \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u044f \u0431\u0430\u0437 \u0434\u0430\u043d\u043d\u044b\u0445 SAP HANA Client \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u044b\u043c \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u0435\u043c \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u043e\u0432 \u043f\u0440\u043e\u0442\u043e\u0442\u0438\u043f\u0430 \u043e\u0431\u044a\u0435\u043a\u0442\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0440\u043e\u043a\u0430\u043c\u0438 \u0438 \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435\u043c",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2024.html\nhttps://me.sap.com/notes/3520100\nhttps://www.npmjs.com/package/@sap/hana-client?activeTab=code",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-1321",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4,3)"
}

GHSA-6339-GV7W-G5F4

Vulnerability from github – Published: 2024-10-08 06:30 – Updated: 2024-10-08 14:37

Summary

SAP HANA Node.js client package vulnerable to Prototype Pollution

Details

Severity ?

4.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

5.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@sap/hana-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.21.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45277"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-08T14:37:55Z",
    "nvd_published_at": "2024-10-08T04:15:08Z",
    "severity": "MODERATE"
  },
  "details": "The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity.",
  "id": "GHSA-6339-gv7w-g5f4",
  "modified": "2024-10-08T14:37:55Z",
  "published": "2024-10-08T06:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45277"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3520100"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/@sap/hana-client?activeTab=code"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SAP HANA Node.js client package vulnerable to Prototype Pollution"
}

FKIE_CVE-2024-45277

Vulnerability from fkie_nvd - Published: 2024-10-08 04:15 - Updated: 2024-11-14 17:54

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Summary

References

URL	Tags
cna@sap.com	https://me.sap.com/notes/3520100	Permissions Required
cna@sap.com	https://url.sap/sapsecuritypatchday	Vendor Advisory
cna@sap.com	https://www.npmjs.com/package/@sap/hana-client?activeTab=code	Product

Impacted products

	Vendor	Product	Version
	sap	hana-client	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:hana-client:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "F5C1E6EC-59D6-4B6B-AEFA-5CA4E39D8AC2",
              "versionEndExcluding": "2.21.31",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity."
    },
    {
      "lang": "es",
      "value": "Las versiones del paquete de cliente SAP HANA Node.js de la 2.0.0 anterior a la 2.21.31 se ven afectadas por la vulnerabilidad de contaminaci\u00f3n de prototipos, que permite a un atacante agregar propiedades arbitrarias a los prototipos de objetos globales. Esto se debe a una desinfecci\u00f3n inadecuada de la entrada del usuario al utilizar la funci\u00f3n nestTables, lo que tiene un impacto bajo en la disponibilidad de la aplicaci\u00f3n. Esto no tiene impacto en la confidencialidad ni la integridad."
    }
  ],
  "id": "CVE-2024-45277",
  "lastModified": "2024-11-14T17:54:28.373",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "cna@sap.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-10-08T04:15:08.133",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://me.sap.com/notes/3520100"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://url.sap/sapsecuritypatchday"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Product"
      ],
      "url": "https://www.npmjs.com/package/@sap/hana-client?activeTab=code"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1321"
        }
      ],
      "source": "cna@sap.com",
      "type": "Secondary"
    }
  ]
}

CNVD-2024-49626

Vulnerability from cnvd - Published: 2024-12-31

Title

SAP HANA输入验证错误漏洞（CNVD-2024-49626）

Description

SAP HANA是德国思爱普（SAP）公司的一套高性能的实时数据分析平台。该平台提供数据查询功能，支持用户对查询实时业务数据进行查询和分析。 SAP HANA Node.js client存在输入验证错误漏洞，该漏洞源于使用nestTables功能时对用户输入清理不当。攻击者利用该漏洞向全局对象原型添加任意属性。

Severity

中

Patch Name

SAP HANA输入验证错误漏洞（CNVD-2024-49626）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://me.sap.com/notes/3520100

Reference

https://nvd.nist.gov/vuln/detail/CVE-2024-45277

Impacted products

Name
SAP SAP HANA >=2.0.0，<2.21.31

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-45277",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-45277"
    }
  },
  "description": "SAP HANA\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u9ad8\u6027\u80fd\u7684\u5b9e\u65f6\u6570\u636e\u5206\u6790\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u63d0\u4f9b\u6570\u636e\u67e5\u8be2\u529f\u80fd\uff0c\u652f\u6301\u7528\u6237\u5bf9\u67e5\u8be2\u5b9e\u65f6\u4e1a\u52a1\u6570\u636e\u8fdb\u884c\u67e5\u8be2\u548c\u5206\u6790\u3002\n\nSAP HANA Node.js client\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4f7f\u7528nestTables\u529f\u80fd\u65f6\u5bf9\u7528\u6237\u8f93\u5165\u6e05\u7406\u4e0d\u5f53\u3002\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u5411\u5168\u5c40\u5bf9\u8c61\u539f\u578b\u6dfb\u52a0\u4efb\u610f\u5c5e\u6027\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://me.sap.com/notes/3520100",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-49626",
  "openTime": "2024-12-31",
  "patchDescription": "SAP HANA\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u9ad8\u6027\u80fd\u7684\u5b9e\u65f6\u6570\u636e\u5206\u6790\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u63d0\u4f9b\u6570\u636e\u67e5\u8be2\u529f\u80fd\uff0c\u652f\u6301\u7528\u6237\u5bf9\u67e5\u8be2\u5b9e\u65f6\u4e1a\u52a1\u6570\u636e\u8fdb\u884c\u67e5\u8be2\u548c\u5206\u6790\u3002\r\n\r\nSAP HANA Node.js client\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4f7f\u7528nestTables\u529f\u80fd\u65f6\u5bf9\u7528\u6237\u8f93\u5165\u6e05\u7406\u4e0d\u5f53\u3002\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u5411\u5168\u5c40\u5bf9\u8c61\u539f\u578b\u6dfb\u52a0\u4efb\u610f\u5c5e\u6027\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP HANA\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2024-49626\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "SAP SAP HANA \u003e=2.0.0\uff0c\u003c2.21.31"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-45277",
  "serverity": "\u4e2d",
  "submitTime": "2024-10-17",
  "title": "SAP HANA\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2024-49626\uff09"
}

CERTFR-2024-AVI-0844

Vulnerability from certfr_avis - Published: 2024-10-08 - Updated: 2024-10-08

De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une injection de code indirecte à distance (XSS) et un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
SAP	NetWeaver BW	NetWeaver BW (BEx Analyzer) versions DW4CORE 200, DW4CORE 300, DW4CORE 400, SAP_BW 700, SAP_BW 701, SAP_BW 702, SAP_BW 731, SAP_BW 740, SAP_BW 750, SAP_BW 751, SAP_BW 752, SAP_BW 753, SAP_BW 754, SAP_BW 755, SAP_BW 756, SAP_BW 757 et SAP_BW 758 sans le dernier correctif de sécurité
SAP	N/A	Commerce Backoffice versions HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de sécurité
SAP	N/A	S/4 HANA (Manage Bank Statements) versions S4CORE, 102, 103, 104, 105, 106 et 107 sans le dernier correctif de sécurité
SAP	N/A	Student Life Cycle Management (SLcM) versions IS-PS-CA 617, 618, 802, 803, 804, 805, 806, 807 et 808 sans le dernier correctif de sécurité
SAP	NetWeaver Enterprise Portal	NetWeaver Enterprise Portal (KMC) version KMC-BC 7.5 sans le dernier correctif de sécurité
SAP	N/A	PDCE versions S4CORE 102, 103, S4COREOP 104, 105, 106, 107 et 108 sans le dernier correctif de sécurité
SAP	N/A	BusinessObjects Business Intelligence Platform (Web Intelligence) versions ENTERPRISE 420, 430, 2025, ENTERPRISECLIENTTOOLS 420, 430 et 2025 sans le dernier correctif de sécurité
SAP	N/A	HANA Client version HDB_CLIENT 2.0 sans le dernier correctif de sécurité
SAP	N/A	NetWeaver AS for Java version 7.50 sans le dernier correctif de sécurité
SAP	N/A	SAP NetWeaver Application Server pour plateformes ABAP et ABAP versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de sécurité
SAP	N/A	Enterprise Project Connection version 3.0 sans le dernier correctif de sécurité
SAP	N/A	BusinessObjects Business Intelligence Platform versions ENTERPRISE 420, 430 et 440 sans le dernier correctif de sécurité

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-45277 (GCVE-0-2024-45277)

CVE-2024-45277

GHSA-6339-GV7W-G5F4

FKIE_CVE-2024-45277

CNVD-2024-49626

CERTFR-2024-AVI-0844

Solutions

Tags

Sightings

Nomenclature