Search

Find a vulnerability

Search criteria

    12 vulnerabilities found for SAP S/4HANA by SAP SE

    CVE-2022-32248 (GCVE-0-2022-32248)

    Vulnerability from nvd – Published: 2022-07-12 20:27 – Updated: 2024-08-03 07:39
    VLAI
    Summary
    Due to missing input validation in the Manage Checkbooks component of SAP S/4HANA - version 101, 102, 103, 104, 105, 106, an attacker could insert or edit the value of an existing field in the database. This leads to an impact on the integrity of the data.
    Severity
    No CVSS data available.
    CWE
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP S/4HANA Affected: 101
    Affected: 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T07:39:51.053Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3216161"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP S/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "101"
                },
                {
                  "status": "affected",
                  "version": "102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Due to missing input validation in the Manage Checkbooks component of SAP S/4HANA - version 101, 102, 103, 104, 105, 106, an attacker could insert or edit the value of an existing field in the database. This leads to an impact on the integrity of the data."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-12T20:27:22.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3216161"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2022-32248",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP S/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "101"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "102"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "103"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "104"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "105"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "106"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Due to missing input validation in the Manage Checkbooks component of SAP S/4HANA - version 101, 102, 103, 104, 105, 106, an attacker could insert or edit the value of an existing field in the database. This leads to an impact on the integrity of the data."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "null",
                "vectorString": "null",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
                  "refsource": "MISC",
                  "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/3216161",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/3216161"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2022-32248",
        "datePublished": "2022-07-12T20:27:22.000Z",
        "dateReserved": "2022-06-02T00:00:00.000Z",
        "dateUpdated": "2024-08-03T07:39:51.053Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-31597 (GCVE-0-2022-31597)

    Vulnerability from nvd – Published: 2022-07-12 20:27 – Updated: 2024-08-03 07:25
    VLAI
    Summary
    Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data.
    Severity
    No CVSS data available.
    CWE
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP S/4HANA Affected: S4CORE 101
    Affected: 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: SAPSCORE 127
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T07:25:59.513Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3213826"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP S/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE 101"
                },
                {
                  "status": "affected",
                  "version": "102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "SAPSCORE 127"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-12T20:27:00.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3213826"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2022-31597",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP S/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "S4CORE 101"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "102"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "103"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "104"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "105"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "106"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "SAPSCORE 127"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "null",
                "vectorString": "null",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-862"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
                  "refsource": "MISC",
                  "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/3213826",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/3213826"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2022-31597",
        "datePublished": "2022-07-12T20:27:00.000Z",
        "dateReserved": "2022-05-24T00:00:00.000Z",
        "dateUpdated": "2024-08-03T07:25:59.513Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-22531 (GCVE-0-2022-22531)

    Vulnerability from nvd – Published: 2022-01-14 19:11 – Updated: 2024-08-03 03:14
    VLAI
    Summary
    The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to run arbitrary script code, resulting in sensitive information being disclosed or modified.
    Severity
    No CVSS data available.
    CWE
    • Cross-Site Scripting
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP S/4HANA Affected: 100
    Affected: 101
    Affected: 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:14:55.412Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3112928"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP S/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "101"
                },
                {
                  "status": "affected",
                  "version": "102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to run arbitrary script code, resulting in sensitive information being disclosed or modified.\u003c/p\u003e"
                }
              ],
              "value": "The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to run arbitrary script code, resulting in sensitive information being disclosed or modified."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-10T18:07:38.847Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3112928"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2022-22531",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP S/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "100"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "101"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "102"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "103"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "104"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "105"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "106"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to run arbitrary script code, resulting in sensitive information being disclosed or modified."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "null",
                "vectorString": "null",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://launchpad.support.sap.com/#/notes/3112928",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/3112928"
                },
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2022-22531",
        "datePublished": "2022-01-14T19:11:28.000Z",
        "dateReserved": "2022-01-04T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:14:55.412Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-22530 (GCVE-0-2022-22530)

    Vulnerability from nvd – Published: 2022-01-14 19:11 – Updated: 2024-08-03 03:14
    VLAI
    Summary
    The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to inject dangerous content or malicious code which could result in critical information being modified or completely compromise the availability of the application.
    Severity
    No CVSS data available.
    CWE
    • Code Injection
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP S/4HANA Affected: 100
    Affected: 101
    Affected: 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:14:55.426Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3112928"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP S/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "101"
                },
                {
                  "status": "affected",
                  "version": "102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to inject dangerous content or malicious code which could result in critical information being modified or completely compromise the availability of the application.\u003c/p\u003e"
                }
              ],
              "value": "The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to inject dangerous content or malicious code which could result in critical information being modified or completely compromise the availability of the application."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Code Injection",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-10T18:08:30.733Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3112928"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2022-22530",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP S/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "100"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "101"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "102"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "103"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "104"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "105"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "106"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to inject dangerous content or malicious code which could result in critical information being modified or completely compromise the availability of the application."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "null",
                "vectorString": "null",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Code Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://launchpad.support.sap.com/#/notes/3112928",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/3112928"
                },
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2022-22530",
        "datePublished": "2022-01-14T19:11:26.000Z",
        "dateReserved": "2022-01-04T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:14:55.426Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-33701 (GCVE-0-2021-33701)

    Vulnerability from nvd – Published: 2021-09-15 18:01 – Updated: 2024-08-03 23:58
    VLAI
    Summary
    DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability.
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection�)
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP SE DMIS Mobile Plug-In Affected: < DMIS 2011_1_620
    Affected: < 2011_1_640
    Affected: < 2011_1_700
    Affected: < 2011_1_710
    Affected: < 2011_1_730
    Affected: < 710
    Affected: < 2011_1_731
    Affected: < 2011_1_752
    Affected: < 2020
    Create a notification for this product.
    SAP SE SAP S/4HANA Affected: < SAPSCORE 125
    Affected: < S4CORE 102
    Affected: < 102
    Affected: < 103
    Affected: < 104
    Affected: < 105
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T23:58:22.494Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3078312"
              },
              {
                "name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2021/Dec/36"
              },
              {
                "name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2021/Dec/35"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DMIS Mobile Plug-In",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c DMIS 2011_1_620"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_640"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_700"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_710"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_730"
                },
                {
                  "status": "affected",
                  "version": "\u003c 710"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_731"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_752"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2020"
                }
              ]
            },
            {
              "product": "SAP S/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c SAPSCORE 125"
                },
                {
                  "status": "affected",
                  "version": "\u003c S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "\u003c 102"
                },
                {
                  "status": "affected",
                  "version": "\u003c 103"
                },
                {
                  "status": "affected",
                  "version": "\u003c 104"
                },
                {
                  "status": "affected",
                  "version": "\u003c 105"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\ufffd)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-15T17:06:24.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3078312"
            },
            {
              "name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2021/Dec/36"
            },
            {
              "name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2021/Dec/35"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2021-33701",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DMIS Mobile Plug-In",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "DMIS 2011_1_620"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_640"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_700"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_710"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_730"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "710"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_731"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "710"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_752"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2020"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP S/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "SAPSCORE 125"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "S4CORE 102"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "102"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "103"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "104"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "105"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.1",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\ufffd)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/3078312",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/3078312"
                },
                {
                  "name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2021/Dec/36"
                },
                {
                  "name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2021/Dec/35"
                },
                {
                  "name": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
                },
                {
                  "name": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2021-33701",
        "datePublished": "2021-09-15T18:01:55.000Z",
        "dateReserved": "2021-05-28T00:00:00.000Z",
        "dateUpdated": "2024-08-03T23:58:22.494Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-38176 (GCVE-0-2021-38176)

    Vulnerability from nvd – Published: 2021-09-14 11:19 – Updated: 2024-08-04 01:37
    VLAI
    Summary
    Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.
    CWE
    • Improper Input Sanitization
    Assigner
    sap
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:37:16.300Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3089831"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP S/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1511"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1610"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1709"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1809"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1909"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2020"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2021"
                }
              ]
            },
            {
              "product": "SAP LT Replication Server",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.0"
                }
              ]
            },
            {
              "product": "SAP LTRS for S/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.0"
                }
              ]
            },
            {
              "product": "SAP Test Data Migration Server",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.0"
                }
              ]
            },
            {
              "product": "SAP Landscape Transformation",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Input Sanitization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-30T17:49:36.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3089831"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2021-38176",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP S/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "1511"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "1610"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "1709"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "1809"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "1909"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2020"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2021"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP LT Replication Server",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "2.0"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "3.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP LTRS for S/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "1.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP Test Data Migration Server",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "4.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP Landscape Transformation",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "2.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.9",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Input Sanitization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/3089831",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/3089831"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2021-38176",
        "datePublished": "2021-09-14T11:19:07.000Z",
        "dateReserved": "2021-08-07T00:00:00.000Z",
        "dateUpdated": "2024-08-04T01:37:16.300Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-32248 (GCVE-0-2022-32248)

    Vulnerability from cvelistv5 – Published: 2022-07-12 20:27 – Updated: 2024-08-03 07:39
    VLAI
    Summary
    Due to missing input validation in the Manage Checkbooks component of SAP S/4HANA - version 101, 102, 103, 104, 105, 106, an attacker could insert or edit the value of an existing field in the database. This leads to an impact on the integrity of the data.
    Severity
    No CVSS data available.
    CWE
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP S/4HANA Affected: 101
    Affected: 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T07:39:51.053Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3216161"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP S/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "101"
                },
                {
                  "status": "affected",
                  "version": "102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Due to missing input validation in the Manage Checkbooks component of SAP S/4HANA - version 101, 102, 103, 104, 105, 106, an attacker could insert or edit the value of an existing field in the database. This leads to an impact on the integrity of the data."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-12T20:27:22.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3216161"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2022-32248",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP S/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "101"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "102"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "103"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "104"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "105"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "106"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Due to missing input validation in the Manage Checkbooks component of SAP S/4HANA - version 101, 102, 103, 104, 105, 106, an attacker could insert or edit the value of an existing field in the database. This leads to an impact on the integrity of the data."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "null",
                "vectorString": "null",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
                  "refsource": "MISC",
                  "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/3216161",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/3216161"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2022-32248",
        "datePublished": "2022-07-12T20:27:22.000Z",
        "dateReserved": "2022-06-02T00:00:00.000Z",
        "dateUpdated": "2024-08-03T07:39:51.053Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-31597 (GCVE-0-2022-31597)

    Vulnerability from cvelistv5 – Published: 2022-07-12 20:27 – Updated: 2024-08-03 07:25
    VLAI
    Summary
    Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data.
    Severity
    No CVSS data available.
    CWE
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP S/4HANA Affected: S4CORE 101
    Affected: 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: SAPSCORE 127
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T07:25:59.513Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3213826"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP S/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE 101"
                },
                {
                  "status": "affected",
                  "version": "102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "SAPSCORE 127"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-12T20:27:00.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3213826"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2022-31597",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP S/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "S4CORE 101"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "102"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "103"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "104"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "105"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "106"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "SAPSCORE 127"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "null",
                "vectorString": "null",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-862"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
                  "refsource": "MISC",
                  "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/3213826",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/3213826"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2022-31597",
        "datePublished": "2022-07-12T20:27:00.000Z",
        "dateReserved": "2022-05-24T00:00:00.000Z",
        "dateUpdated": "2024-08-03T07:25:59.513Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-22531 (GCVE-0-2022-22531)

    Vulnerability from cvelistv5 – Published: 2022-01-14 19:11 – Updated: 2024-08-03 03:14
    VLAI
    Summary
    The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to run arbitrary script code, resulting in sensitive information being disclosed or modified.
    Severity
    No CVSS data available.
    CWE
    • Cross-Site Scripting
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP S/4HANA Affected: 100
    Affected: 101
    Affected: 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:14:55.412Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3112928"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP S/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "101"
                },
                {
                  "status": "affected",
                  "version": "102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to run arbitrary script code, resulting in sensitive information being disclosed or modified.\u003c/p\u003e"
                }
              ],
              "value": "The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to run arbitrary script code, resulting in sensitive information being disclosed or modified."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-10T18:07:38.847Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3112928"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2022-22531",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP S/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "100"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "101"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "102"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "103"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "104"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "105"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "106"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to run arbitrary script code, resulting in sensitive information being disclosed or modified."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "null",
                "vectorString": "null",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://launchpad.support.sap.com/#/notes/3112928",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/3112928"
                },
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2022-22531",
        "datePublished": "2022-01-14T19:11:28.000Z",
        "dateReserved": "2022-01-04T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:14:55.412Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-22530 (GCVE-0-2022-22530)

    Vulnerability from cvelistv5 – Published: 2022-01-14 19:11 – Updated: 2024-08-03 03:14
    VLAI
    Summary
    The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to inject dangerous content or malicious code which could result in critical information being modified or completely compromise the availability of the application.
    Severity
    No CVSS data available.
    CWE
    • Code Injection
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP S/4HANA Affected: 100
    Affected: 101
    Affected: 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:14:55.426Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3112928"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP S/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "101"
                },
                {
                  "status": "affected",
                  "version": "102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to inject dangerous content or malicious code which could result in critical information being modified or completely compromise the availability of the application.\u003c/p\u003e"
                }
              ],
              "value": "The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to inject dangerous content or malicious code which could result in critical information being modified or completely compromise the availability of the application."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Code Injection",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-10T18:08:30.733Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3112928"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2022-22530",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP S/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "100"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "101"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "102"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "103"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "104"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "105"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "106"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to inject dangerous content or malicious code which could result in critical information being modified or completely compromise the availability of the application."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "null",
                "vectorString": "null",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Code Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://launchpad.support.sap.com/#/notes/3112928",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/3112928"
                },
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2022-22530",
        "datePublished": "2022-01-14T19:11:26.000Z",
        "dateReserved": "2022-01-04T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:14:55.426Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-33701 (GCVE-0-2021-33701)

    Vulnerability from cvelistv5 – Published: 2021-09-15 18:01 – Updated: 2024-08-03 23:58
    VLAI
    Summary
    DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability.
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection�)
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP SE DMIS Mobile Plug-In Affected: < DMIS 2011_1_620
    Affected: < 2011_1_640
    Affected: < 2011_1_700
    Affected: < 2011_1_710
    Affected: < 2011_1_730
    Affected: < 710
    Affected: < 2011_1_731
    Affected: < 2011_1_752
    Affected: < 2020
    Create a notification for this product.
    SAP SE SAP S/4HANA Affected: < SAPSCORE 125
    Affected: < S4CORE 102
    Affected: < 102
    Affected: < 103
    Affected: < 104
    Affected: < 105
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T23:58:22.494Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3078312"
              },
              {
                "name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2021/Dec/36"
              },
              {
                "name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2021/Dec/35"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DMIS Mobile Plug-In",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c DMIS 2011_1_620"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_640"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_700"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_710"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_730"
                },
                {
                  "status": "affected",
                  "version": "\u003c 710"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_731"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_752"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2020"
                }
              ]
            },
            {
              "product": "SAP S/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c SAPSCORE 125"
                },
                {
                  "status": "affected",
                  "version": "\u003c S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "\u003c 102"
                },
                {
                  "status": "affected",
                  "version": "\u003c 103"
                },
                {
                  "status": "affected",
                  "version": "\u003c 104"
                },
                {
                  "status": "affected",
                  "version": "\u003c 105"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\ufffd)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-15T17:06:24.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3078312"
            },
            {
              "name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2021/Dec/36"
            },
            {
              "name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2021/Dec/35"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2021-33701",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DMIS Mobile Plug-In",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "DMIS 2011_1_620"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_640"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_700"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_710"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_730"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "710"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_731"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "710"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_752"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2020"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP S/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "SAPSCORE 125"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "S4CORE 102"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "102"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "103"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "104"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "105"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.1",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\ufffd)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/3078312",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/3078312"
                },
                {
                  "name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2021/Dec/36"
                },
                {
                  "name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2021/Dec/35"
                },
                {
                  "name": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
                },
                {
                  "name": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2021-33701",
        "datePublished": "2021-09-15T18:01:55.000Z",
        "dateReserved": "2021-05-28T00:00:00.000Z",
        "dateUpdated": "2024-08-03T23:58:22.494Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-38176 (GCVE-0-2021-38176)

    Vulnerability from cvelistv5 – Published: 2021-09-14 11:19 – Updated: 2024-08-04 01:37
    VLAI
    Summary
    Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.
    CWE
    • Improper Input Sanitization
    Assigner
    sap
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:37:16.300Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3089831"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP S/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1511"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1610"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1709"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1809"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1909"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2020"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2021"
                }
              ]
            },
            {
              "product": "SAP LT Replication Server",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.0"
                }
              ]
            },
            {
              "product": "SAP LTRS for S/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.0"
                }
              ]
            },
            {
              "product": "SAP Test Data Migration Server",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.0"
                }
              ]
            },
            {
              "product": "SAP Landscape Transformation",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Input Sanitization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-30T17:49:36.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3089831"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2021-38176",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP S/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "1511"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "1610"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "1709"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "1809"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "1909"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2020"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2021"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP LT Replication Server",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "2.0"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "3.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP LTRS for S/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "1.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP Test Data Migration Server",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "4.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP Landscape Transformation",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "2.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.9",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Input Sanitization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/3089831",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/3089831"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2021-38176",
        "datePublished": "2021-09-14T11:19:07.000Z",
        "dateReserved": "2021-08-07T00:00:00.000Z",
        "dateUpdated": "2024-08-04T01:37:16.300Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }