Lucene search

SapCVELIST:CVE-2024-21737

HistoryJan 09, 2024 - 1:18 a.m.

CVE-2024-21737 Code Injection vulnerability in SAP Application Interface Framework (File Adapter)

2024-01-0901:18:19

CWE-94

sap

www.cve.org

sap

application interface framework

code injection

file adapter

high privilege user

function module

os commands

confidentiality

integrity

availability

CVSS3

8.4

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.001

Percentile

18.2%

JSON

In SAP Application Interface Framework File Adapter - version 702, a high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this, such user can control the behaviour of the application. This leads to considerable impact on confidentiality, integrity and availability.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP Application Interface Framework (File Adapter)",
    "vendor": "SAP_SE",
    "versions": [
      {
        "status": "affected",
        "version": "702"
      }
    ]
  }
]

References

me.sap.com/notes/3411869

www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

CVSS3

8.4

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.001

Percentile

18.2%

JSON

Related for CVELIST:CVE-2024-21737