Lucene search

SapCVE-2024-41728

HistorySep 10, 2024 - 4:15 a.m.

CVE-2024-41728

2024-09-1004:15:04

CWE-862

sap

web.nvd.nist.gov

cve-2024-41728

sap

netweaver

abap

authorization

check

attacker

developer

objects

package

confidentiality

CVSS3

2.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

AI Score

6.7

Confidence

High

EPSS

Percentile

14.7%

JSON

Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view these objects.

Affected configurations

Nvd

Node

sapnetweaver_application_server_abapMatch700

sapnetweaver_application_server_abapMatch701

sapnetweaver_application_server_abapMatch702

sapnetweaver_application_server_abapMatch731

sapnetweaver_application_server_abapMatch740

sapnetweaver_application_server_abapMatch750

sapnetweaver_application_server_abapMatch751

sapnetweaver_application_server_abapMatch752

sapnetweaver_application_server_abapMatch753

sapnetweaver_application_server_abapMatch754

sapnetweaver_application_server_abapMatch755

sapnetweaver_application_server_abapMatch756

sapnetweaver_application_server_abapMatch757

sapnetweaver_application_server_abapMatch758

sapnetweaver_application_server_abapMatch912

VendorProductVersionCPE
sapnetweaver_application_server_abap700cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*
sapnetweaver_application_server_abap701cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*
sapnetweaver_application_server_abap702cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*
sapnetweaver_application_server_abap731cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*
sapnetweaver_application_server_abap740cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*
sapnetweaver_application_server_abap750cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*
sapnetweaver_application_server_abap751cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*
sapnetweaver_application_server_abap752cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*
sapnetweaver_application_server_abap753cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*
sapnetweaver_application_server_abap754cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sap	netweaver_application_server_abap	700	cpe:2.3:a:sap:netweaver_application_server_abap:700:::::::*
sap	netweaver_application_server_abap	701	cpe:2.3:a:sap:netweaver_application_server_abap:701:::::::*
sap	netweaver_application_server_abap	702	cpe:2.3:a:sap:netweaver_application_server_abap:702:::::::*
sap	netweaver_application_server_abap	731	cpe:2.3:a:sap:netweaver_application_server_abap:731:::::::*
sap	netweaver_application_server_abap	740	cpe:2.3:a:sap:netweaver_application_server_abap:740:::::::*
sap	netweaver_application_server_abap	750	cpe:2.3:a:sap:netweaver_application_server_abap:750:::::::*
sap	netweaver_application_server_abap	751	cpe:2.3:a:sap:netweaver_application_server_abap:751:::::::*
sap	netweaver_application_server_abap	752	cpe:2.3:a:sap:netweaver_application_server_abap:752:::::::*
sap	netweaver_application_server_abap	753	cpe:2.3:a:sap:netweaver_application_server_abap:753:::::::*
sap	netweaver_application_server_abap	754	cpe:2.3:a:sap:netweaver_application_server_abap:754:::::::*

Rows per page:

1-10 of 151

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP NetWeaver Application Server for ABAP and ABAP Platform",
    "vendor": "SAP_SE",
    "versions": [
      {
        "status": "affected",
        "version": "700"
      },
      {
        "status": "affected",
        "version": "701"
      },
      {
        "status": "affected",
        "version": "702"
      },
      {
        "status": "affected",
        "version": "731"
      },
      {
        "status": "affected",
        "version": "740"
      },
      {
        "status": "affected",
        "version": "750"
      },
      {
        "status": "affected",
        "version": "751"
      },
      {
        "status": "affected",
        "version": "752"
      },
      {
        "status": "affected",
        "version": "753"
      },
      {
        "status": "affected",
        "version": "754"
      },
      {
        "status": "affected",
        "version": "755"
      },
      {
        "status": "affected",
        "version": "756"
      },
      {
        "status": "affected",
        "version": "757"
      },
      {
        "status": "affected",
        "version": "758"
      },
      {
        "status": "affected",
        "version": "912"
      }
    ]
  }
]

References

me.sap.com/notes/3496410

url.sap/sapsecuritypatchday

CVSS3

2.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

AI Score

6.7

Confidence

High

EPSS

Percentile

14.7%

JSON

Related for CVE-2024-41728