Lucene search

SapVULNRICHMENT:CVE-2024-34689

HistoryJul 09, 2024 - 4:18 a.m.

CVE-2024-34689 [CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services)

2024-07-0904:18:21

CWE-918

sap

github.com

server-side request forgery

sap business workflow

authenticated attacker

http endpoints

information disclosure

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

AI Score

6.4

Confidence

Low

EPSS

Percentile

14.7%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

WebFlow Services of SAP Business Workflow allows
an authenticated attacker to enumerate accessible HTTP endpoints in the
internal network by specially crafting HTTP requests. On successful
exploitation this can result in information disclosure. It has no impact on
integrity and availability of the application.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:sap_se:sap_business_workflow_\\(webflow_services\\):*:*:*:*:*:*:*:*"
    ],
    "vendor": "sap_se",
    "product": "sap_business_workflow_\\(webflow_services\\)",
    "versions": [
      {
        "status": "affected",
        "version": "SAP_BASIS 700"
      },
      {
        "status": "affected",
        "version": "SAP_BASIS 701"
      },
      {
        "status": "affected",
        "version": "SAP_BASIS 702"
      },
      {
        "status": "affected",
        "version": "SAP_BASIS 731"
      },
      {
        "status": "affected",
        "version": "SAP_BASIS 740"
      },
      {
        "status": "affected",
        "version": "SAP_BASIS 750"
      },
      {
        "status": "affected",
        "version": "SAP_BASIS 751"
      },
      {
        "status": "affected",
        "version": "SAP_BASIS 752"
      },
      {
        "status": "affected",
        "version": "SAP_BASIS 753"
      },
      {
        "status": "affected",
        "version": "SAP_BASIS 754"
      },
      {
        "status": "affected",
        "version": "SAP_BASIS 755"
      },
      {
        "status": "affected",
        "version": "SAP_BASIS 756"
      },
      {
        "status": "affected",
        "version": "SAP_BASIS 757"
      },
      {
        "status": "affected",
        "version": "SAP_BASIS 758"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

me.sap.com/notes/3458789

url.sap/sapsecuritypatchday

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

AI Score

6.4

Confidence

Low

EPSS

Percentile

14.7%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-34689