Lucene search

SapCVE-2024-27900

HistoryMar 12, 2024 - 1:15 a.m.

CVE-2024-27900

2024-03-1201:15:49

CWE-862

sap

web.nvd.nist.gov

cve-2024-27900

sap

abap

security

authorization

privacy settings

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

4.5

Confidence

High

EPSS

Percentile

9.0%

JSON

Due to missing authorization check, attacker with business user account in SAP ABAP Platform - version 758, 795, can change the privacy setting of job templates from shared to private. As a result, the selected template would only be accessible to the owner.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP ABAP Platform",
    "vendor": "SAP_SE",
    "versions": [
      {
        "status": "affected",
        "version": "758"
      },
      {
        "status": "affected",
        "version": "795"
      }
    ]
  }
]

References

me.sap.com/notes/3419022

support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

4.5

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for CVE-2024-27900