Lucene search

SapCVE-2024-25642

HistoryFeb 13, 2024 - 3:15 a.m.

CVE-2024-25642

2024-02-1303:15:09

CWE-295

sap

web.nvd.nist.gov

sap

cloud connector

cve-2024-25642

certificate validation

impersonation

sensitive information

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

Percentile

15.5%

JSON

Due to improper validation of certificate in SAP Cloud Connector - version 2.0, attacker can impersonate the genuine servers to interact with SCC breaking the mutual authentication. Hence, the attacker can intercept the request to view/modify sensitive information. There is no impact on the availability of the system.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP Cloud Connector",
    "vendor": "SAP_SE",
    "versions": [
      {
        "status": "affected",
        "version": "2.0"
      }
    ]
  }
]

References

seclists.org/fulldisclosure/2024/May/26

me.sap.com/notes/3424610

www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

Percentile

15.5%

JSON

Related for CVE-2024-25642