CVE-2024-54198

EPSS 0.15%
Published 10.12.2024 01:15:06
Last modified 10.12.2024 01:15:06
Source cna@sap.com
Teams watchlist Login
Open Login

In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application.

Affected products Warnungen 0 Metrics 2 CWE 1 References 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorSAP_SE

≫

Product SAP NetWeaver Application Server ABAP

Default Statusunaffected

Version KRNL64NUC 7.22

Status affected

Version 7.22EXT

Status affected

Version KRNL64UC 7.22

Status affected

Version 7.53

Status affected

Version KERNEL 7.22

Status affected

Version 7.54

Status affected

Version 7.77

Status affected

Version 7.89

Status affected

Version 7.93

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.15%	0.366

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
cna@sap.com	8.5	1.8	6	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-914 Improper Control of Dynamically-Identified Variables

The product does not properly restrict reading from or writing to dynamically-identified variables.

https://url.sap/sapsecuritypatchday

https://me.sap.com/notes/3469791

https://nvd.nist.gov/vuln/detail/CVE-2024-54198

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-54198

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-54198

EUVD