Search criteria
10 vulnerabilities found for bw\/4hana by sap
CVE-2024-37176 (GCVE-0-2024-37176)
Vulnerability from nvd – Published: 2024-06-11 02:14 – Updated: 2024-08-02 03:50
VLAI?
Title
Missing Authorization check in SAP BW/4HANA Transformation and DTP
Summary
SAP BW/4HANA Transformation and Data Transfer
Process (DTP) allows an authenticated attacker to gain higher access levels
than they should have by exploiting improper authorization checks. This results
in escalation of privileges. It has no impact on the confidentiality of data
but may have low impacts on the integrity and availability of the application.
Severity ?
5.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP BW/4HANA Transformation and Data Transfer Process |
Affected:
DW4CORE 200
Affected: 300 Affected: 400 Affected: 796 Affected: SAP_BW 740 Affected: 750 Affected: 751 Affected: 752 Affected: 753 Affected: 754 Affected: 755 Affected: 756 Affected: 757 Affected: 758 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw_4hana:dw4core200:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw_4hana",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "dw4core200"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw_4hana:300:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw_4hana",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "300"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw_4hana:400:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw_4hana",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "400"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw_4hana:796:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw_4hana",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "796"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw_4hana:sap_bw_740:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw_4hana",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "sap_bw_740"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:750:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "750"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:751:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "751"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:752:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "752"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:753:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "753"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:754:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "754"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:755:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "755"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:756:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "756"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:757:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "757"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:758:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "758"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37176",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T13:51:16.715875Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T14:16:58.729Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:54.783Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3465455"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP BW/4HANA Transformation and Data Transfer Process",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "DW4CORE 200"
},
{
"status": "affected",
"version": "300"
},
{
"status": "affected",
"version": "400"
},
{
"status": "affected",
"version": "796"
},
{
"status": "affected",
"version": "SAP_BW 740"
},
{
"status": "affected",
"version": "750"
},
{
"status": "affected",
"version": "751"
},
{
"status": "affected",
"version": "752"
},
{
"status": "affected",
"version": "753"
},
{
"status": "affected",
"version": "754"
},
{
"status": "affected",
"version": "755"
},
{
"status": "affected",
"version": "756"
},
{
"status": "affected",
"version": "757"
},
{
"status": "affected",
"version": "758"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SAP BW/4HANA Transformation and Data Transfer\nProcess (DTP) allows an authenticated attacker to gain higher access levels\nthan they should have by exploiting improper authorization checks. This results\nin escalation of privileges. It has no impact on the confidentiality of data\nbut may have low impacts on the integrity and availability of the application.\n\n\n\n"
}
],
"value": "SAP BW/4HANA Transformation and Data Transfer\nProcess (DTP) allows an authenticated attacker to gain higher access levels\nthan they should have by exploiting improper authorization checks. This results\nin escalation of privileges. It has no impact on the confidentiality of data\nbut may have low impacts on the integrity and availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T02:14:45.656Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3465455"
},
{
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP BW/4HANA Transformation and DTP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-37176",
"datePublished": "2024-06-11T02:14:45.656Z",
"dateReserved": "2024-06-04T07:49:42.492Z",
"dateUpdated": "2024-08-02T03:50:54.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33992 (GCVE-0-2023-33992)
Vulnerability from nvd – Published: 2023-07-11 02:34 – Updated: 2024-10-29 13:43
VLAI?
Title
Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA
Summary
The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.
Severity ?
4.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Business Warehouse and SAP BW/4HANA |
Affected:
SAP_BW 730
Affected: SAP_BW 731 Affected: SAP_BW 740 Affected: SAP_BW 750 Affected: DW4CORE 100 Affected: DW4CORE 200 Affected: DW4CORE 300 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:14.204Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3088078"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33992",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-25T18:38:55.404664Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T13:43:38.660Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Business Warehouse and SAP BW/4HANA",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BW 730"
},
{
"status": "affected",
"version": "SAP_BW 731"
},
{
"status": "affected",
"version": "SAP_BW 740"
},
{
"status": "affected",
"version": "SAP_BW 750"
},
{
"status": "affected",
"version": "DW4CORE 100"
},
{
"status": "affected",
"version": "DW4CORE 200"
},
{
"status": "affected",
"version": "DW4CORE 300"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.\u003c/p\u003e"
}
],
"value": "The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-11T02:34:11.627Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3088078"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-33992",
"datePublished": "2023-07-11T02:34:11.627Z",
"dateReserved": "2023-05-24T20:41:32.835Z",
"dateUpdated": "2024-10-29T13:43:38.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21466 (GCVE-0-2021-21466)
Vulnerability from nvd – Published: 2021-01-12 14:42 – Updated: 2024-08-03 18:16
VLAI?
Summary
SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service.
Severity ?
9.9 (Critical)
CWE
- Code Injection
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| SAP SE | SAP Business Warehouse |
Affected:
< 700
Affected: < 701 Affected: < 702 Affected: < 711 Affected: < 730 Affected: < 731 Affected: < 740 Affected: < 750 Affected: < 782 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:16:22.469Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2999854"
},
{
"name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/May/42"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Business Warehouse",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 700"
},
{
"status": "affected",
"version": "\u003c 701"
},
{
"status": "affected",
"version": "\u003c 702"
},
{
"status": "affected",
"version": "\u003c 711"
},
{
"status": "affected",
"version": "\u003c 730"
},
{
"status": "affected",
"version": "\u003c 731"
},
{
"status": "affected",
"version": "\u003c 740"
},
{
"status": "affected",
"version": "\u003c 750"
},
{
"status": "affected",
"version": "\u003c 782"
}
]
},
{
"product": "SAP BW/4HANA",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 100"
},
{
"status": "affected",
"version": "\u003c 200"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Code Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-19T17:06:16",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2999854"
},
{
"name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2022/May/42"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-21466",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Business Warehouse",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "700"
},
{
"version_name": "\u003c",
"version_value": "701"
},
{
"version_name": "\u003c",
"version_value": "702"
},
{
"version_name": "\u003c",
"version_value": "711"
},
{
"version_name": "\u003c",
"version_value": "730"
},
{
"version_name": "\u003c",
"version_value": "731"
},
{
"version_name": "\u003c",
"version_value": "740"
},
{
"version_name": "\u003c",
"version_value": "750"
},
{
"version_name": "\u003c",
"version_value": "782"
}
]
}
},
{
"product_name": "SAP BW/4HANA",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "100"
},
{
"version_name": "\u003c",
"version_value": "200"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service."
}
]
},
"impact": {
"cvss": {
"baseScore": "9.9",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Code Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2999854",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2999854"
},
{
"name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2022/May/42"
},
{
"name": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-21466",
"datePublished": "2021-01-12T14:42:39",
"dateReserved": "2020-12-30T00:00:00",
"dateUpdated": "2024-08-03T18:16:22.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26838 (GCVE-0-2020-26838)
Vulnerability from nvd – Published: 2020-12-09 16:31 – Updated: 2024-08-04 16:03
VLAI?
Summary
SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. It is possible to craft a request which will result in the execution of Operating System commands leading to Code Injection vulnerability which could completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it.
Severity ?
9.1 (Critical)
CWE
- Code Injection
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| SAP SE | SAP Business Warehouse |
Affected:
< 700
Affected: < 701 Affected: < 702 Affected: < 731 Affected: < 740 Affected: < 750 Affected: < 751 Affected: < 752 Affected: < 753 Affected: < 754 Affected: < 755 Affected: < 782 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:03:22.812Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2983367"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Business Warehouse",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 700"
},
{
"status": "affected",
"version": "\u003c 701"
},
{
"status": "affected",
"version": "\u003c 702"
},
{
"status": "affected",
"version": "\u003c 731"
},
{
"status": "affected",
"version": "\u003c 740"
},
{
"status": "affected",
"version": "\u003c 750"
},
{
"status": "affected",
"version": "\u003c 751"
},
{
"status": "affected",
"version": "\u003c 752"
},
{
"status": "affected",
"version": "\u003c 753"
},
{
"status": "affected",
"version": "\u003c 754"
},
{
"status": "affected",
"version": "\u003c 755"
},
{
"status": "affected",
"version": "\u003c 782"
}
]
},
{
"product": "SAP BW4HANA",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 100"
},
{
"status": "affected",
"version": "\u003c 200"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. It is possible to craft a request which will result in the execution of Operating System commands leading to Code Injection vulnerability which could completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Code Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-09T16:31:14",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2983367"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2020-26838",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Business Warehouse",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "700"
},
{
"version_name": "\u003c",
"version_value": "701"
},
{
"version_name": "\u003c",
"version_value": "702"
},
{
"version_name": "\u003c",
"version_value": "731"
},
{
"version_name": "\u003c",
"version_value": "740"
},
{
"version_name": "\u003c",
"version_value": "750"
},
{
"version_name": "\u003c",
"version_value": "751"
},
{
"version_name": "\u003c",
"version_value": "752"
},
{
"version_name": "\u003c",
"version_value": "753"
},
{
"version_name": "\u003c",
"version_value": "754"
},
{
"version_name": "\u003c",
"version_value": "755"
},
{
"version_name": "\u003c",
"version_value": "782"
}
]
}
},
{
"product_name": "SAP BW4HANA",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "100"
},
{
"version_name": "\u003c",
"version_value": "200"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. It is possible to craft a request which will result in the execution of Operating System commands leading to Code Injection vulnerability which could completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it."
}
]
},
"impact": {
"cvss": {
"baseScore": "9.1",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Code Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2983367",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2983367"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2020-26838",
"datePublished": "2020-12-09T16:31:14",
"dateReserved": "2020-10-07T00:00:00",
"dateUpdated": "2024-08-04T16:03:22.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-0243 (GCVE-0-2019-0243)
Vulnerability from nvd – Published: 2019-01-08 20:00 – Updated: 2024-08-04 17:44
VLAI?
Summary
Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixed in DW4CORE version 1.0 (SP08)) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
Severity ?
No CVSS data available.
CWE
- Missing Authorization Check
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP BW/4HANA (DW4CORE) |
Affected:
< 1.0 (SP08)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:15.938Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2727623"
},
{
"name": "106467",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106467"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP BW/4HANA (DW4CORE)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0 (SP08)"
}
]
}
],
"datePublic": "2019-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixed in DW4CORE version 1.0 (SP08)) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing Authorization Check",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-09T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2727623"
},
{
"name": "106467",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106467"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0243",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP BW/4HANA (DW4CORE)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.0 (SP08)"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixed in DW4CORE version 1.0 (SP08)) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Authorization Check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.support.sap.com/#/notes/2727623",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2727623"
},
{
"name": "106467",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106467"
},
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0243",
"datePublished": "2019-01-08T20:00:00",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T17:44:15.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37176 (GCVE-0-2024-37176)
Vulnerability from cvelistv5 – Published: 2024-06-11 02:14 – Updated: 2024-08-02 03:50
VLAI?
Title
Missing Authorization check in SAP BW/4HANA Transformation and DTP
Summary
SAP BW/4HANA Transformation and Data Transfer
Process (DTP) allows an authenticated attacker to gain higher access levels
than they should have by exploiting improper authorization checks. This results
in escalation of privileges. It has no impact on the confidentiality of data
but may have low impacts on the integrity and availability of the application.
Severity ?
5.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP BW/4HANA Transformation and Data Transfer Process |
Affected:
DW4CORE 200
Affected: 300 Affected: 400 Affected: 796 Affected: SAP_BW 740 Affected: 750 Affected: 751 Affected: 752 Affected: 753 Affected: 754 Affected: 755 Affected: 756 Affected: 757 Affected: 758 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw_4hana:dw4core200:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw_4hana",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "dw4core200"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw_4hana:300:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw_4hana",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "300"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw_4hana:400:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw_4hana",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "400"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw_4hana:796:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw_4hana",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "796"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw_4hana:sap_bw_740:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw_4hana",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "sap_bw_740"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:750:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "750"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:751:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "751"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:752:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "752"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:753:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "753"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:754:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "754"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:755:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "755"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:756:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "756"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:757:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "757"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap_se:sap_bw:758:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_bw",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "758"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37176",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T13:51:16.715875Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T14:16:58.729Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:54.783Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3465455"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP BW/4HANA Transformation and Data Transfer Process",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "DW4CORE 200"
},
{
"status": "affected",
"version": "300"
},
{
"status": "affected",
"version": "400"
},
{
"status": "affected",
"version": "796"
},
{
"status": "affected",
"version": "SAP_BW 740"
},
{
"status": "affected",
"version": "750"
},
{
"status": "affected",
"version": "751"
},
{
"status": "affected",
"version": "752"
},
{
"status": "affected",
"version": "753"
},
{
"status": "affected",
"version": "754"
},
{
"status": "affected",
"version": "755"
},
{
"status": "affected",
"version": "756"
},
{
"status": "affected",
"version": "757"
},
{
"status": "affected",
"version": "758"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SAP BW/4HANA Transformation and Data Transfer\nProcess (DTP) allows an authenticated attacker to gain higher access levels\nthan they should have by exploiting improper authorization checks. This results\nin escalation of privileges. It has no impact on the confidentiality of data\nbut may have low impacts on the integrity and availability of the application.\n\n\n\n"
}
],
"value": "SAP BW/4HANA Transformation and Data Transfer\nProcess (DTP) allows an authenticated attacker to gain higher access levels\nthan they should have by exploiting improper authorization checks. This results\nin escalation of privileges. It has no impact on the confidentiality of data\nbut may have low impacts on the integrity and availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T02:14:45.656Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3465455"
},
{
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP BW/4HANA Transformation and DTP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-37176",
"datePublished": "2024-06-11T02:14:45.656Z",
"dateReserved": "2024-06-04T07:49:42.492Z",
"dateUpdated": "2024-08-02T03:50:54.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33992 (GCVE-0-2023-33992)
Vulnerability from cvelistv5 – Published: 2023-07-11 02:34 – Updated: 2024-10-29 13:43
VLAI?
Title
Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA
Summary
The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.
Severity ?
4.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Business Warehouse and SAP BW/4HANA |
Affected:
SAP_BW 730
Affected: SAP_BW 731 Affected: SAP_BW 740 Affected: SAP_BW 750 Affected: DW4CORE 100 Affected: DW4CORE 200 Affected: DW4CORE 300 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:14.204Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3088078"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33992",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-25T18:38:55.404664Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T13:43:38.660Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Business Warehouse and SAP BW/4HANA",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BW 730"
},
{
"status": "affected",
"version": "SAP_BW 731"
},
{
"status": "affected",
"version": "SAP_BW 740"
},
{
"status": "affected",
"version": "SAP_BW 750"
},
{
"status": "affected",
"version": "DW4CORE 100"
},
{
"status": "affected",
"version": "DW4CORE 200"
},
{
"status": "affected",
"version": "DW4CORE 300"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.\u003c/p\u003e"
}
],
"value": "The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-11T02:34:11.627Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3088078"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-33992",
"datePublished": "2023-07-11T02:34:11.627Z",
"dateReserved": "2023-05-24T20:41:32.835Z",
"dateUpdated": "2024-10-29T13:43:38.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21466 (GCVE-0-2021-21466)
Vulnerability from cvelistv5 – Published: 2021-01-12 14:42 – Updated: 2024-08-03 18:16
VLAI?
Summary
SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service.
Severity ?
9.9 (Critical)
CWE
- Code Injection
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| SAP SE | SAP Business Warehouse |
Affected:
< 700
Affected: < 701 Affected: < 702 Affected: < 711 Affected: < 730 Affected: < 731 Affected: < 740 Affected: < 750 Affected: < 782 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:16:22.469Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2999854"
},
{
"name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/May/42"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Business Warehouse",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 700"
},
{
"status": "affected",
"version": "\u003c 701"
},
{
"status": "affected",
"version": "\u003c 702"
},
{
"status": "affected",
"version": "\u003c 711"
},
{
"status": "affected",
"version": "\u003c 730"
},
{
"status": "affected",
"version": "\u003c 731"
},
{
"status": "affected",
"version": "\u003c 740"
},
{
"status": "affected",
"version": "\u003c 750"
},
{
"status": "affected",
"version": "\u003c 782"
}
]
},
{
"product": "SAP BW/4HANA",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 100"
},
{
"status": "affected",
"version": "\u003c 200"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Code Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-19T17:06:16",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2999854"
},
{
"name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2022/May/42"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-21466",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Business Warehouse",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "700"
},
{
"version_name": "\u003c",
"version_value": "701"
},
{
"version_name": "\u003c",
"version_value": "702"
},
{
"version_name": "\u003c",
"version_value": "711"
},
{
"version_name": "\u003c",
"version_value": "730"
},
{
"version_name": "\u003c",
"version_value": "731"
},
{
"version_name": "\u003c",
"version_value": "740"
},
{
"version_name": "\u003c",
"version_value": "750"
},
{
"version_name": "\u003c",
"version_value": "782"
}
]
}
},
{
"product_name": "SAP BW/4HANA",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "100"
},
{
"version_name": "\u003c",
"version_value": "200"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service."
}
]
},
"impact": {
"cvss": {
"baseScore": "9.9",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Code Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2999854",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2999854"
},
{
"name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2022/May/42"
},
{
"name": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-21466",
"datePublished": "2021-01-12T14:42:39",
"dateReserved": "2020-12-30T00:00:00",
"dateUpdated": "2024-08-03T18:16:22.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26838 (GCVE-0-2020-26838)
Vulnerability from cvelistv5 – Published: 2020-12-09 16:31 – Updated: 2024-08-04 16:03
VLAI?
Summary
SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. It is possible to craft a request which will result in the execution of Operating System commands leading to Code Injection vulnerability which could completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it.
Severity ?
9.1 (Critical)
CWE
- Code Injection
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| SAP SE | SAP Business Warehouse |
Affected:
< 700
Affected: < 701 Affected: < 702 Affected: < 731 Affected: < 740 Affected: < 750 Affected: < 751 Affected: < 752 Affected: < 753 Affected: < 754 Affected: < 755 Affected: < 782 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:03:22.812Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2983367"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Business Warehouse",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 700"
},
{
"status": "affected",
"version": "\u003c 701"
},
{
"status": "affected",
"version": "\u003c 702"
},
{
"status": "affected",
"version": "\u003c 731"
},
{
"status": "affected",
"version": "\u003c 740"
},
{
"status": "affected",
"version": "\u003c 750"
},
{
"status": "affected",
"version": "\u003c 751"
},
{
"status": "affected",
"version": "\u003c 752"
},
{
"status": "affected",
"version": "\u003c 753"
},
{
"status": "affected",
"version": "\u003c 754"
},
{
"status": "affected",
"version": "\u003c 755"
},
{
"status": "affected",
"version": "\u003c 782"
}
]
},
{
"product": "SAP BW4HANA",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 100"
},
{
"status": "affected",
"version": "\u003c 200"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. It is possible to craft a request which will result in the execution of Operating System commands leading to Code Injection vulnerability which could completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Code Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-09T16:31:14",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2983367"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2020-26838",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Business Warehouse",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "700"
},
{
"version_name": "\u003c",
"version_value": "701"
},
{
"version_name": "\u003c",
"version_value": "702"
},
{
"version_name": "\u003c",
"version_value": "731"
},
{
"version_name": "\u003c",
"version_value": "740"
},
{
"version_name": "\u003c",
"version_value": "750"
},
{
"version_name": "\u003c",
"version_value": "751"
},
{
"version_name": "\u003c",
"version_value": "752"
},
{
"version_name": "\u003c",
"version_value": "753"
},
{
"version_name": "\u003c",
"version_value": "754"
},
{
"version_name": "\u003c",
"version_value": "755"
},
{
"version_name": "\u003c",
"version_value": "782"
}
]
}
},
{
"product_name": "SAP BW4HANA",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "100"
},
{
"version_name": "\u003c",
"version_value": "200"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. It is possible to craft a request which will result in the execution of Operating System commands leading to Code Injection vulnerability which could completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it."
}
]
},
"impact": {
"cvss": {
"baseScore": "9.1",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Code Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2983367",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2983367"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2020-26838",
"datePublished": "2020-12-09T16:31:14",
"dateReserved": "2020-10-07T00:00:00",
"dateUpdated": "2024-08-04T16:03:22.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-0243 (GCVE-0-2019-0243)
Vulnerability from cvelistv5 – Published: 2019-01-08 20:00 – Updated: 2024-08-04 17:44
VLAI?
Summary
Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixed in DW4CORE version 1.0 (SP08)) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
Severity ?
No CVSS data available.
CWE
- Missing Authorization Check
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP BW/4HANA (DW4CORE) |
Affected:
< 1.0 (SP08)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:15.938Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2727623"
},
{
"name": "106467",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106467"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP BW/4HANA (DW4CORE)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0 (SP08)"
}
]
}
],
"datePublic": "2019-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixed in DW4CORE version 1.0 (SP08)) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing Authorization Check",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-09T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2727623"
},
{
"name": "106467",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106467"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0243",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP BW/4HANA (DW4CORE)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.0 (SP08)"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixed in DW4CORE version 1.0 (SP08)) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Authorization Check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.support.sap.com/#/notes/2727623",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2727623"
},
{
"name": "106467",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106467"
},
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0243",
"datePublished": "2019-01-08T20:00:00",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T17:44:15.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}