Lucene search

[email protected]CVE-2024-27900

HistoryMar 12, 2024 - 1:15 a.m.

CVE-2024-27900

2024-03-1201:15:49

CWE-862

[email protected]

web.nvd.nist.gov

cve-2024-27900

sap

abap

security

authorization

privacy settings

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Due to missing authorization check, attacker with business user account in SAP ABAP Platform - version 758, 795, can change the privacy setting of job templates from shared to private. As a result, the selected template would only be accessible to the owner.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP ABAP Platform",
    "vendor": "SAP_SE",
    "versions": [
      {
        "status": "affected",
        "version": "758"
      },
      {
        "status": "affected",
        "version": "795"
      }
    ]
  }
]

References

me.sap.com/notes/3419022

support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVE-2024-27900

prion1 nvd1 cnvd1 cvelist1