Lucene search

SapVULNRICHMENT:CVE-2024-33003

HistoryAug 13, 2024 - 3:36 a.m.

CVE-2024-33003 Information Disclosure Vulnerability in SAP Commerce Cloud

2024-08-1303:36:55

CWE-200

sap

github.com

sap commerce cloud

pii data

information disclosure

cve-2024-33003

high impact

confidentiality

integrity

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

6.8

Confidence

Low

EPSS

0.001

Percentile

39.6%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Some OCC API endpoints in SAP Commerce Cloud
allows Personally Identifiable Information (PII) data, such as passwords, email
addresses, mobile numbers, coupon codes, and voucher codes, to be included in
the request URL as query or path parameters. On successful exploitation, this
could lead to a High impact on confidentiality and integrity of the
application.

CNA Affected

[
  {
    "vendor": "SAP_SE",
    "product": "SAP Commerce Cloud",
    "versions": [
      {
        "status": "affected",
        "version": "HY_COM 1808"
      },
      {
        "status": "affected",
        "version": "1811"
      },
      {
        "status": "affected",
        "version": "1905"
      },
      {
        "status": "affected",
        "version": "2005"
      },
      {
        "status": "affected",
        "version": "2105"
      },
      {
        "status": "affected",
        "version": "2011"
      },
      {
        "status": "affected",
        "version": "2205"
      },
      {
        "status": "affected",
        "version": "COM_CLOUD 2211"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*",
      "cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*",
      "cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*",
      "cpe:2.3:a:sap:commerce_cloud:2005:*:*:*:*:*:*:*",
      "cpe:2.3:a:sap:commerce_cloud:2011:*:*:*:*:*:*:*",
      "cpe:2.3:a:sap:commerce_cloud:2105:*:*:*:*:*:*:*",
      "cpe:2.3:a:sap:commerce_cloud:2205:*:*:*:*:*:*:*",
      "cpe:2.3:a:sap:commerce_cloud:2211:*:*:*:*:*:*:*"
    ],
    "vendor": "sap",
    "product": "commerce_cloud",
    "versions": [
      {
        "status": "affected",
        "version": "1808"
      },
      {
        "status": "affected",
        "version": "1811"
      },
      {
        "status": "affected",
        "version": "1905"
      },
      {
        "status": "affected",
        "version": "2005"
      },
      {
        "status": "affected",
        "version": "2011"
      },
      {
        "status": "affected",
        "version": "2105"
      },
      {
        "status": "affected",
        "version": "2205"
      },
      {
        "status": "affected",
        "version": "2211"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

me.sap.com/notes/3459935

url.sap/sapsecuritypatchday

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

6.8

Confidence

Low

EPSS

0.001

Percentile

39.6%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2024-33003