Lucene search

SapCVE-2024-33003

HistoryAug 13, 2024 - 4:15 a.m.

CVE-2024-33003

2024-08-1304:15:07

CWE-200

sap

web.nvd.nist.gov

cve-2024-33003

personally identifiable information

pii

data

passwords

email addresses

mobile numbers

coupon codes

voucher codes

request url

query parameters

path parameters

exploitation

high impact

confidentiality

integrity

application

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

39.6%

JSON

Some OCC API endpoints in SAP Commerce Cloud
allows Personally Identifiable Information (PII) data, such as passwords, email
addresses, mobile numbers, coupon codes, and voucher codes, to be included in
the request URL as query or path parameters. On successful exploitation, this
could lead to a High impact on confidentiality and integrity of the
application.

Affected configurations

Nvd

Node

sapcommerce_cloudMatch1811

sapcommerce_cloudMatch1905

sapcommerce_cloudMatch2005

sapcommerce_cloudMatch2011

sapcommerce_cloudMatch2105

sapcommerce_cloudMatch2205

sapcommerce_cloudMatchcom_cloud_2211

sapcommerce_cloudMatchhy_com_1808

VendorProductVersionCPE
sapcommerce_cloud1811cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*
sapcommerce_cloud1905cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*
sapcommerce_cloud2005cpe:2.3:a:sap:commerce_cloud:2005:*:*:*:*:*:*:*
sapcommerce_cloud2011cpe:2.3:a:sap:commerce_cloud:2011:*:*:*:*:*:*:*
sapcommerce_cloud2105cpe:2.3:a:sap:commerce_cloud:2105:*:*:*:*:*:*:*
sapcommerce_cloud2205cpe:2.3:a:sap:commerce_cloud:2205:*:*:*:*:*:*:*
sapcommerce_cloudcom_cloud_2211cpe:2.3:a:sap:commerce_cloud:com_cloud_2211:*:*:*:*:*:*:*
sapcommerce_cloudhy_com_1808cpe:2.3:a:sap:commerce_cloud:hy_com_1808:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sap	commerce_cloud	1811	cpe:2.3:a:sap:commerce_cloud:1811:::::::*
sap	commerce_cloud	1905	cpe:2.3:a:sap:commerce_cloud:1905:::::::*
sap	commerce_cloud	2005	cpe:2.3:a:sap:commerce_cloud:2005:::::::*
sap	commerce_cloud	2011	cpe:2.3:a:sap:commerce_cloud:2011:::::::*
sap	commerce_cloud	2105	cpe:2.3:a:sap:commerce_cloud:2105:::::::*
sap	commerce_cloud	2205	cpe:2.3:a:sap:commerce_cloud:2205:::::::*
sap	commerce_cloud	com_cloud_2211	cpe:2.3:a:sap:commerce_cloud:com_cloud_2211:::::::*
sap	commerce_cloud	hy_com_1808	cpe:2.3:a:sap:commerce_cloud:hy_com_1808:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP Commerce Cloud",
    "vendor": "SAP_SE",
    "versions": [
      {
        "status": "affected",
        "version": "HY_COM 1808"
      },
      {
        "status": "affected",
        "version": "1811"
      },
      {
        "status": "affected",
        "version": "1905"
      },
      {
        "status": "affected",
        "version": "2005"
      },
      {
        "status": "affected",
        "version": "2105"
      },
      {
        "status": "affected",
        "version": "2011"
      },
      {
        "status": "affected",
        "version": "2205"
      },
      {
        "status": "affected",
        "version": "COM_CLOUD 2211"
      }
    ]
  }
]

References

me.sap.com/notes/3459935

url.sap/sapsecuritypatchday

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

39.6%

JSON

Related for CVE-2024-33003