Lucene search

SapCVELIST:CVE-2024-34692

HistoryJul 09, 2024 - 4:43 a.m.

CVE-2024-34692 [CVE-2024-34692] Unrestricted File upload vulnerability in SAP Enable Now

2024-07-0904:43:05

CWE-434

sap

www.cve.org

sap enable now

unrestricted file upload

arbitrary files

executables

malware

confidentiality

integrity

CVSS3

3.3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

EPSS

Percentile

14.7%

JSON

Due to missing verification of file type or
content, SAP Enable Now allows an authenticated attacker to upload arbitrary
files. These files include executables which might be downloaded and executed
by the user which could host malware. On successful exploitation an attacker
can cause limited impact on confidentiality and Integrity of the application.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP Enable Now",
    "vendor": "SAP_SE",
    "versions": [
      {
        "status": "affected",
        "version": "WPB_MANAGER_CE 10"
      },
      {
        "status": "affected",
        "version": "WPB_MANAGER_HANA 10"
      },
      {
        "status": "affected",
        "version": "ENABLE_NOW_CONSUMP_DEL 1704"
      }
    ]
  }
]

References

me.sap.com/notes/3476340

url.sap/sapsecuritypatchday