6.9

CVE-2025-42946

Due to directory traversal vulnerability in SAP S/4HANA (Bank Communication Management), an attacker with high privileges and access to a specific transaction and method in Bank Communication Management could gain unauthorized access to sensitive operating system files. This could allow the attacker to potentially read or delete these files hence causing a high impact on confidentiality and low impact on integrity. There is no impact on availability of the system.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerSAP_SE
Produkt SAP S/4HANA (Bank Communication Management)
Default Statusunaffected
Version SAP_APPL 606
Status affected
Version SAP_FIN 617
Status affected
Version 618
Status affected
Version 720
Status affected
Version 730
Status affected
Version S4CORE 102
Status affected
Version 103
Status affected
Version 104
Status affected
Version 105
Status affected
Version 106
Status affected
Version 107
Status affected
Version 108
Status affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.17% 0.385
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
cna@sap.com 6.9 1.7 4.7
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.