CVE-2024-42374

EPSS 0.51%
Published 13.08.2024 04:15:10
Last modified 16.09.2024 16:25:54
Source cna@sap.com
Teams watchlist Login
Open Login

BEx Web Java Runtime Export Web Service does not
sufficiently validate an XML document accepted from an untrusted source. An
attacker can retrieve information from the SAP ADS system and exhaust the
number of XMLForm service which makes the SAP ADS rendering (PDF creation)
unavailable. This affects the confidentiality and availability of the
application.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

SAP ≫ Bex Web Java Runtime Export Web Service Versionbi-base-b_7.5

SAP ≫ Bex Web Java Runtime Export Web Service Versionbi-base-e_7.5

SAP ≫ Bex Web Java Runtime Export Web Service Versionbi-base-s_7.5

SAP ≫ Bex Web Java Runtime Export Web Service Versionbi-ibc_7.5

SAP ≫ Bex Web Java Runtime Export Web Service Versionbiwebapp_7.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.51%	0.653

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
cna@sap.com	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

CWE-91 XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

https://url.sap/sapsecuritypatchday

Vendor Advisory

https://me.sap.com/notes/3485284

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2024-42374

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-42374

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-42374

EUVD