CVE-2024-21737

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-21737
In SAP Application Interface Framework File Adapter - version 702, a high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this, such user can control the behaviour of the application. This leads to considerable impact on confidentiality, integrity and availability.

9.1 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://me.sap.com/notes/3411869 Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:application_interface_framework:702:*:*:*:*:*:*:*
History

16 Jan 2024, 17:45

Type Values Removed Values Added
First Time Sap
Sap application Interface Framework
CVSS v2 : unknown
v3 : 8.4 		v2 : unknown
v3 : 9.1
CPE cpe:2.3:a:sap:application_interface_framework:702:*:*:*:*:*:*:*
References () https://me.sap.com/notes/3411869 - () https://me.sap.com/notes/3411869 - Permissions Required
References () https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - () https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory

09 Jan 2024, 14:01

Type Values Removed Values Added
Summary
  • (es) En SAP Application Interface Framework File Adapter, versión 702, un usuario con privilegios elevados puede utilizar un módulo de funciones para atravesar varias capas y ejecutar comandos del sistema operativo directamente. De esta forma, dicho usuario puede controlar el comportamiento de la aplicación. Esto tiene un impacto considerable en la confidencialidad, la integridad y la disponibilidad.

09 Jan 2024, 02:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-01-09 02:15

Updated : 2024-01-16 17:45

NVD link : CVE-2024-21737

Mitre link : CVE-2024-21737

CVE.ORG link : CVE-2024-21737

JSON object : View

Products Affected

sap

  • application_interface_framework
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')