Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for bw\/4hana by sap

    CVE-2024-37176 (GCVE-0-2024-37176)

    Vulnerability from nvd – Published: 2024-06-11 02:14 – Updated: 2024-08-02 03:50
    VLAI
    Title
    Missing Authorization check in SAP BW/4HANA Transformation and DTP
    Summary
    SAP BW/4HANA Transformation and Data Transfer Process (DTP) allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks. This results in escalation of privileges. It has no impact on the confidentiality of data but may have low impacts on the integrity and availability of the application.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP BW/4HANA Transformation and Data Transfer Process Affected: DW4CORE 200
    Affected: 300
    Affected: 400
    Affected: 796
    Affected: SAP_BW 740
    Affected: 750
    Affected: 751
    Affected: 752
    Affected: 753
    Affected: 754
    Affected: 755
    Affected: 756
    Affected: 757
    Affected: 758
    Create a notification for this product.
    sap_se sap_bw_4hana Affected: dw4core200
        cpe:2.3:a:sap_se:sap_bw_4hana:dw4core200:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw_4hana Affected: 300
        cpe:2.3:a:sap_se:sap_bw_4hana:300:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw_4hana Affected: 400
        cpe:2.3:a:sap_se:sap_bw_4hana:400:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw_4hana Affected: 796
        cpe:2.3:a:sap_se:sap_bw_4hana:796:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw_4hana Affected: sap_bw_740
        cpe:2.3:a:sap_se:sap_bw_4hana:sap_bw_740:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 750
        cpe:2.3:a:sap_se:sap_bw:750:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 751
        cpe:2.3:a:sap_se:sap_bw:751:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 752
        cpe:2.3:a:sap_se:sap_bw:752:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 753
        cpe:2.3:a:sap_se:sap_bw:753:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 754
        cpe:2.3:a:sap_se:sap_bw:754:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 755
        cpe:2.3:a:sap_se:sap_bw:755:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 756
        cpe:2.3:a:sap_se:sap_bw:756:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 757
        cpe:2.3:a:sap_se:sap_bw:757:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 758
        cpe:2.3:a:sap_se:sap_bw:758:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw_4hana:dw4core200:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw_4hana",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "dw4core200"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw_4hana:300:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw_4hana",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "300"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw_4hana:400:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw_4hana",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "400"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw_4hana:796:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw_4hana",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "796"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw_4hana:sap_bw_740:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw_4hana",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "sap_bw_740"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:750:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "750"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:751:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "751"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:752:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "752"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:753:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "753"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:754:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "754"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:755:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "755"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:756:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "756"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:757:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "757"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:758:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "758"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-37176",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-11T13:51:16.715875Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-11T14:16:58.729Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:50:54.783Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3465455"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP BW/4HANA Transformation and Data Transfer Process",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "DW4CORE 200"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "400"
                },
                {
                  "status": "affected",
                  "version": "796"
                },
                {
                  "status": "affected",
                  "version": "SAP_BW 740"
                },
                {
                  "status": "affected",
                  "version": "750"
                },
                {
                  "status": "affected",
                  "version": "751"
                },
                {
                  "status": "affected",
                  "version": "752"
                },
                {
                  "status": "affected",
                  "version": "753"
                },
                {
                  "status": "affected",
                  "version": "754"
                },
                {
                  "status": "affected",
                  "version": "755"
                },
                {
                  "status": "affected",
                  "version": "756"
                },
                {
                  "status": "affected",
                  "version": "757"
                },
                {
                  "status": "affected",
                  "version": "758"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "SAP BW/4HANA Transformation and Data Transfer\nProcess (DTP) allows an authenticated attacker to gain higher access levels\nthan they should have by exploiting improper authorization checks. This results\nin escalation of privileges. It has no impact on the confidentiality of data\nbut may have low impacts on the integrity and availability of the application.\n\n\n\n"
                }
              ],
              "value": "SAP BW/4HANA Transformation and Data Transfer\nProcess (DTP) allows an authenticated attacker to gain higher access levels\nthan they should have by exploiting improper authorization checks. This results\nin escalation of privileges. It has no impact on the confidentiality of data\nbut may have low impacts on the integrity and availability of the application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-11T02:14:45.656Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3465455"
            },
            {
              "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing Authorization check in SAP BW/4HANA Transformation and DTP",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2024-37176",
        "datePublished": "2024-06-11T02:14:45.656Z",
        "dateReserved": "2024-06-04T07:49:42.492Z",
        "dateUpdated": "2024-08-02T03:50:54.783Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33992 (GCVE-0-2023-33992)

    Vulnerability from nvd – Published: 2023-07-11 02:34 – Updated: 2024-10-29 13:43
    VLAI
    Title
    Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA
    Summary
    The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP Business Warehouse and SAP BW/4HANA Affected: SAP_BW 730
    Affected: SAP_BW 731
    Affected: SAP_BW 740
    Affected: SAP_BW 750
    Affected: DW4CORE 100
    Affected: DW4CORE 200
    Affected: DW4CORE 300
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:54:14.204Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3088078"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33992",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-25T18:38:55.404664Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-29T13:43:38.660Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP Business Warehouse and SAP BW/4HANA",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "SAP_BW 730"
                },
                {
                  "status": "affected",
                  "version": "SAP_BW 731"
                },
                {
                  "status": "affected",
                  "version": "SAP_BW 740"
                },
                {
                  "status": "affected",
                  "version": "SAP_BW 750"
                },
                {
                  "status": "affected",
                  "version": "DW4CORE 100"
                },
                {
                  "status": "affected",
                  "version": "DW4CORE 200"
                },
                {
                  "status": "affected",
                  "version": "DW4CORE 300"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.\u003c/p\u003e"
                }
              ],
              "value": "The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-11T02:34:11.627Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3088078"
            },
            {
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2023-33992",
        "datePublished": "2023-07-11T02:34:11.627Z",
        "dateReserved": "2023-05-24T20:41:32.835Z",
        "dateUpdated": "2024-10-29T13:43:38.660Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-21466 (GCVE-0-2021-21466)

    Vulnerability from nvd – Published: 2021-01-12 14:42 – Updated: 2024-08-03 18:16
    VLAI
    Summary
    SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service.
    CWE
    • Code Injection
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP SE SAP Business Warehouse Affected: < 700
    Affected: < 701
    Affected: < 702
    Affected: < 711
    Affected: < 730
    Affected: < 731
    Affected: < 740
    Affected: < 750
    Affected: < 782
    Create a notification for this product.
    SAP SE SAP BW/4HANA Affected: < 100
    Affected: < 200
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:16:22.469Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2999854"
              },
              {
                "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2022/May/42"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP Business Warehouse",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 700"
                },
                {
                  "status": "affected",
                  "version": "\u003c 701"
                },
                {
                  "status": "affected",
                  "version": "\u003c 702"
                },
                {
                  "status": "affected",
                  "version": "\u003c 711"
                },
                {
                  "status": "affected",
                  "version": "\u003c 730"
                },
                {
                  "status": "affected",
                  "version": "\u003c 731"
                },
                {
                  "status": "affected",
                  "version": "\u003c 740"
                },
                {
                  "status": "affected",
                  "version": "\u003c 750"
                },
                {
                  "status": "affected",
                  "version": "\u003c 782"
                }
              ]
            },
            {
              "product": "SAP BW/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 100"
                },
                {
                  "status": "affected",
                  "version": "\u003c 200"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-19T17:06:16.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2999854"
            },
            {
              "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2022/May/42"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2021-21466",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP Business Warehouse",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "700"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "701"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "702"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "711"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "730"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "731"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "740"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "750"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "782"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP BW/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "100"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "200"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.9",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Code Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/2999854",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/2999854"
                },
                {
                  "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2022/May/42"
                },
                {
                  "name": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2021-21466",
        "datePublished": "2021-01-12T14:42:39.000Z",
        "dateReserved": "2020-12-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T18:16:22.469Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-26838 (GCVE-0-2020-26838)

    Vulnerability from nvd – Published: 2020-12-09 16:31 – Updated: 2024-08-04 16:03
    VLAI
    Summary
    SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. It is possible to craft a request which will result in the execution of Operating System commands leading to Code Injection vulnerability which could completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it.
    CWE
    • Code Injection
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP Business Warehouse Affected: < 700
    Affected: < 701
    Affected: < 702
    Affected: < 731
    Affected: < 740
    Affected: < 750
    Affected: < 751
    Affected: < 752
    Affected: < 753
    Affected: < 754
    Affected: < 755
    Affected: < 782
    Create a notification for this product.
    SAP SE SAP BW4HANA Affected: < 100
    Affected: < 200
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:03:22.812Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2983367"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP Business Warehouse",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 700"
                },
                {
                  "status": "affected",
                  "version": "\u003c 701"
                },
                {
                  "status": "affected",
                  "version": "\u003c 702"
                },
                {
                  "status": "affected",
                  "version": "\u003c 731"
                },
                {
                  "status": "affected",
                  "version": "\u003c 740"
                },
                {
                  "status": "affected",
                  "version": "\u003c 750"
                },
                {
                  "status": "affected",
                  "version": "\u003c 751"
                },
                {
                  "status": "affected",
                  "version": "\u003c 752"
                },
                {
                  "status": "affected",
                  "version": "\u003c 753"
                },
                {
                  "status": "affected",
                  "version": "\u003c 754"
                },
                {
                  "status": "affected",
                  "version": "\u003c 755"
                },
                {
                  "status": "affected",
                  "version": "\u003c 782"
                }
              ]
            },
            {
              "product": "SAP BW4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 100"
                },
                {
                  "status": "affected",
                  "version": "\u003c 200"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. It is possible to craft a request which will result in the execution of Operating System commands leading to Code Injection vulnerability which could completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-12-09T16:31:14.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2983367"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2020-26838",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP Business Warehouse",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "700"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "701"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "702"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "731"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "740"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "750"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "751"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "752"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "753"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "754"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "755"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "782"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP BW4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "100"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "200"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. It is possible to craft a request which will result in the execution of Operating System commands leading to Code Injection vulnerability which could completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.1",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Code Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/2983367",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/2983367"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2020-26838",
        "datePublished": "2020-12-09T16:31:14.000Z",
        "dateReserved": "2020-10-07T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:03:22.812Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-0243 (GCVE-0-2019-0243)

    Vulnerability from nvd – Published: 2019-01-08 20:00 – Updated: 2024-08-04 17:44
    VLAI
    Summary
    Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixed in DW4CORE version 1.0 (SP08)) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
    Severity
    No CVSS data available.
    CWE
    • Missing Authorization Check
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP BW/4HANA (DW4CORE) Affected: < 1.0 (SP08)
    Create a notification for this product.
    Date Public
    2019-01-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:44:15.938Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2727623"
              },
              {
                "name": "106467",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/106467"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP BW/4HANA (DW4CORE)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.0 (SP08)"
                }
              ]
            }
          ],
          "datePublic": "2019-01-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixed in DW4CORE version 1.0 (SP08)) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Missing Authorization Check",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-01-09T10:57:01.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2727623"
            },
            {
              "name": "106467",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/106467"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2019-0243",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP BW/4HANA (DW4CORE)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "1.0 (SP08)"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixed in DW4CORE version 1.0 (SP08)) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Missing Authorization Check"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://launchpad.support.sap.com/#/notes/2727623",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/2727623"
                },
                {
                  "name": "106467",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/106467"
                },
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2019-0243",
        "datePublished": "2019-01-08T20:00:00.000Z",
        "dateReserved": "2018-11-26T00:00:00.000Z",
        "dateUpdated": "2024-08-04T17:44:15.938Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-37176 (GCVE-0-2024-37176)

    Vulnerability from cvelistv5 – Published: 2024-06-11 02:14 – Updated: 2024-08-02 03:50
    VLAI
    Title
    Missing Authorization check in SAP BW/4HANA Transformation and DTP
    Summary
    SAP BW/4HANA Transformation and Data Transfer Process (DTP) allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks. This results in escalation of privileges. It has no impact on the confidentiality of data but may have low impacts on the integrity and availability of the application.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP BW/4HANA Transformation and Data Transfer Process Affected: DW4CORE 200
    Affected: 300
    Affected: 400
    Affected: 796
    Affected: SAP_BW 740
    Affected: 750
    Affected: 751
    Affected: 752
    Affected: 753
    Affected: 754
    Affected: 755
    Affected: 756
    Affected: 757
    Affected: 758
    Create a notification for this product.
    sap_se sap_bw_4hana Affected: dw4core200
        cpe:2.3:a:sap_se:sap_bw_4hana:dw4core200:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw_4hana Affected: 300
        cpe:2.3:a:sap_se:sap_bw_4hana:300:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw_4hana Affected: 400
        cpe:2.3:a:sap_se:sap_bw_4hana:400:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw_4hana Affected: 796
        cpe:2.3:a:sap_se:sap_bw_4hana:796:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw_4hana Affected: sap_bw_740
        cpe:2.3:a:sap_se:sap_bw_4hana:sap_bw_740:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 750
        cpe:2.3:a:sap_se:sap_bw:750:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 751
        cpe:2.3:a:sap_se:sap_bw:751:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 752
        cpe:2.3:a:sap_se:sap_bw:752:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 753
        cpe:2.3:a:sap_se:sap_bw:753:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 754
        cpe:2.3:a:sap_se:sap_bw:754:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 755
        cpe:2.3:a:sap_se:sap_bw:755:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 756
        cpe:2.3:a:sap_se:sap_bw:756:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 757
        cpe:2.3:a:sap_se:sap_bw:757:*:*:*:*:*:*:*
    Create a notification for this product.
    sap_se sap_bw Affected: 758
        cpe:2.3:a:sap_se:sap_bw:758:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw_4hana:dw4core200:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw_4hana",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "dw4core200"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw_4hana:300:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw_4hana",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "300"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw_4hana:400:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw_4hana",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "400"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw_4hana:796:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw_4hana",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "796"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw_4hana:sap_bw_740:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw_4hana",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "sap_bw_740"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:750:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "750"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:751:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "751"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:752:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "752"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:753:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "753"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:754:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "754"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:755:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "755"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:756:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "756"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:757:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "757"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_bw:758:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sap_bw",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "758"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-37176",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-11T13:51:16.715875Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-11T14:16:58.729Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:50:54.783Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3465455"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP BW/4HANA Transformation and Data Transfer Process",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "DW4CORE 200"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "400"
                },
                {
                  "status": "affected",
                  "version": "796"
                },
                {
                  "status": "affected",
                  "version": "SAP_BW 740"
                },
                {
                  "status": "affected",
                  "version": "750"
                },
                {
                  "status": "affected",
                  "version": "751"
                },
                {
                  "status": "affected",
                  "version": "752"
                },
                {
                  "status": "affected",
                  "version": "753"
                },
                {
                  "status": "affected",
                  "version": "754"
                },
                {
                  "status": "affected",
                  "version": "755"
                },
                {
                  "status": "affected",
                  "version": "756"
                },
                {
                  "status": "affected",
                  "version": "757"
                },
                {
                  "status": "affected",
                  "version": "758"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "SAP BW/4HANA Transformation and Data Transfer\nProcess (DTP) allows an authenticated attacker to gain higher access levels\nthan they should have by exploiting improper authorization checks. This results\nin escalation of privileges. It has no impact on the confidentiality of data\nbut may have low impacts on the integrity and availability of the application.\n\n\n\n"
                }
              ],
              "value": "SAP BW/4HANA Transformation and Data Transfer\nProcess (DTP) allows an authenticated attacker to gain higher access levels\nthan they should have by exploiting improper authorization checks. This results\nin escalation of privileges. It has no impact on the confidentiality of data\nbut may have low impacts on the integrity and availability of the application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-11T02:14:45.656Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3465455"
            },
            {
              "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing Authorization check in SAP BW/4HANA Transformation and DTP",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2024-37176",
        "datePublished": "2024-06-11T02:14:45.656Z",
        "dateReserved": "2024-06-04T07:49:42.492Z",
        "dateUpdated": "2024-08-02T03:50:54.783Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33992 (GCVE-0-2023-33992)

    Vulnerability from cvelistv5 – Published: 2023-07-11 02:34 – Updated: 2024-10-29 13:43
    VLAI
    Title
    Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA
    Summary
    The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP Business Warehouse and SAP BW/4HANA Affected: SAP_BW 730
    Affected: SAP_BW 731
    Affected: SAP_BW 740
    Affected: SAP_BW 750
    Affected: DW4CORE 100
    Affected: DW4CORE 200
    Affected: DW4CORE 300
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:54:14.204Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3088078"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33992",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-25T18:38:55.404664Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-29T13:43:38.660Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP Business Warehouse and SAP BW/4HANA",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "SAP_BW 730"
                },
                {
                  "status": "affected",
                  "version": "SAP_BW 731"
                },
                {
                  "status": "affected",
                  "version": "SAP_BW 740"
                },
                {
                  "status": "affected",
                  "version": "SAP_BW 750"
                },
                {
                  "status": "affected",
                  "version": "DW4CORE 100"
                },
                {
                  "status": "affected",
                  "version": "DW4CORE 200"
                },
                {
                  "status": "affected",
                  "version": "DW4CORE 300"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.\u003c/p\u003e"
                }
              ],
              "value": "The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-11T02:34:11.627Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3088078"
            },
            {
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2023-33992",
        "datePublished": "2023-07-11T02:34:11.627Z",
        "dateReserved": "2023-05-24T20:41:32.835Z",
        "dateUpdated": "2024-10-29T13:43:38.660Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-21466 (GCVE-0-2021-21466)

    Vulnerability from cvelistv5 – Published: 2021-01-12 14:42 – Updated: 2024-08-03 18:16
    VLAI
    Summary
    SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service.
    CWE
    • Code Injection
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP SE SAP Business Warehouse Affected: < 700
    Affected: < 701
    Affected: < 702
    Affected: < 711
    Affected: < 730
    Affected: < 731
    Affected: < 740
    Affected: < 750
    Affected: < 782
    Create a notification for this product.
    SAP SE SAP BW/4HANA Affected: < 100
    Affected: < 200
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:16:22.469Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2999854"
              },
              {
                "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2022/May/42"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP Business Warehouse",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 700"
                },
                {
                  "status": "affected",
                  "version": "\u003c 701"
                },
                {
                  "status": "affected",
                  "version": "\u003c 702"
                },
                {
                  "status": "affected",
                  "version": "\u003c 711"
                },
                {
                  "status": "affected",
                  "version": "\u003c 730"
                },
                {
                  "status": "affected",
                  "version": "\u003c 731"
                },
                {
                  "status": "affected",
                  "version": "\u003c 740"
                },
                {
                  "status": "affected",
                  "version": "\u003c 750"
                },
                {
                  "status": "affected",
                  "version": "\u003c 782"
                }
              ]
            },
            {
              "product": "SAP BW/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 100"
                },
                {
                  "status": "affected",
                  "version": "\u003c 200"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-19T17:06:16.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2999854"
            },
            {
              "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2022/May/42"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2021-21466",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP Business Warehouse",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "700"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "701"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "702"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "711"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "730"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "731"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "740"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "750"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "782"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP BW/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "100"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "200"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.9",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Code Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/2999854",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/2999854"
                },
                {
                  "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2022/May/42"
                },
                {
                  "name": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2021-21466",
        "datePublished": "2021-01-12T14:42:39.000Z",
        "dateReserved": "2020-12-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T18:16:22.469Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-26838 (GCVE-0-2020-26838)

    Vulnerability from cvelistv5 – Published: 2020-12-09 16:31 – Updated: 2024-08-04 16:03
    VLAI
    Summary
    SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. It is possible to craft a request which will result in the execution of Operating System commands leading to Code Injection vulnerability which could completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it.
    CWE
    • Code Injection
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP Business Warehouse Affected: < 700
    Affected: < 701
    Affected: < 702
    Affected: < 731
    Affected: < 740
    Affected: < 750
    Affected: < 751
    Affected: < 752
    Affected: < 753
    Affected: < 754
    Affected: < 755
    Affected: < 782
    Create a notification for this product.
    SAP SE SAP BW4HANA Affected: < 100
    Affected: < 200
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:03:22.812Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2983367"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP Business Warehouse",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 700"
                },
                {
                  "status": "affected",
                  "version": "\u003c 701"
                },
                {
                  "status": "affected",
                  "version": "\u003c 702"
                },
                {
                  "status": "affected",
                  "version": "\u003c 731"
                },
                {
                  "status": "affected",
                  "version": "\u003c 740"
                },
                {
                  "status": "affected",
                  "version": "\u003c 750"
                },
                {
                  "status": "affected",
                  "version": "\u003c 751"
                },
                {
                  "status": "affected",
                  "version": "\u003c 752"
                },
                {
                  "status": "affected",
                  "version": "\u003c 753"
                },
                {
                  "status": "affected",
                  "version": "\u003c 754"
                },
                {
                  "status": "affected",
                  "version": "\u003c 755"
                },
                {
                  "status": "affected",
                  "version": "\u003c 782"
                }
              ]
            },
            {
              "product": "SAP BW4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 100"
                },
                {
                  "status": "affected",
                  "version": "\u003c 200"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. It is possible to craft a request which will result in the execution of Operating System commands leading to Code Injection vulnerability which could completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-12-09T16:31:14.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2983367"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2020-26838",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP Business Warehouse",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "700"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "701"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "702"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "731"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "740"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "750"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "751"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "752"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "753"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "754"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "755"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "782"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP BW4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "100"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "200"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. It is possible to craft a request which will result in the execution of Operating System commands leading to Code Injection vulnerability which could completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.1",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Code Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/2983367",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/2983367"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2020-26838",
        "datePublished": "2020-12-09T16:31:14.000Z",
        "dateReserved": "2020-10-07T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:03:22.812Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-0243 (GCVE-0-2019-0243)

    Vulnerability from cvelistv5 – Published: 2019-01-08 20:00 – Updated: 2024-08-04 17:44
    VLAI
    Summary
    Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixed in DW4CORE version 1.0 (SP08)) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
    Severity
    No CVSS data available.
    CWE
    • Missing Authorization Check
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP BW/4HANA (DW4CORE) Affected: < 1.0 (SP08)
    Create a notification for this product.
    Date Public
    2019-01-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:44:15.938Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2727623"
              },
              {
                "name": "106467",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/106467"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP BW/4HANA (DW4CORE)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.0 (SP08)"
                }
              ]
            }
          ],
          "datePublic": "2019-01-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixed in DW4CORE version 1.0 (SP08)) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Missing Authorization Check",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-01-09T10:57:01.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2727623"
            },
            {
              "name": "106467",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/106467"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2019-0243",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP BW/4HANA (DW4CORE)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "1.0 (SP08)"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixed in DW4CORE version 1.0 (SP08)) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Missing Authorization Check"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://launchpad.support.sap.com/#/notes/2727623",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/2727623"
                },
                {
                  "name": "106467",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/106467"
                },
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2019-0243",
        "datePublished": "2019-01-08T20:00:00.000Z",
        "dateReserved": "2018-11-26T00:00:00.000Z",
        "dateUpdated": "2024-08-04T17:44:15.938Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }