CVE-2024-21737 - OpenCVE

In SAP Application Interface Framework File Adapter - version 702, a high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this, such user can control the behaviour of the application. This leads to considerable impact on confidentiality, integrity and availability.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Application Interface Framework

Configuration 1 [-]

cpe:2.3:a:sap:application_interface_framework:702:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://me.sap.com/notes/3411869
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2024-01-09T01:18:19.305Z

Updated: 2024-08-01T22:27:36.109Z

Reserved: 2024-01-01T10:54:59.645Z

Link: CVE-2024-21737

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-09T02:15:45.823

Modified: 2024-01-16T17:45:47.083

Link: CVE-2024-21737

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21737", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2024-01-01T10:54:59.645Z", "datePublished": "2024-01-09T01:18:19.305Z", "dateUpdated": "2024-08-01T22:27:36.109Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP Application Interface Framework (File Adapter)", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "702"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In SAP Application Interface Framework File Adapter - version 702, a\u00a0high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this,\u00a0such user can control\u00a0the behaviour of the application. This leads to considerable impact on confidentiality, integrity and availability.</p>"}], "value": "In SAP Application Interface Framework File Adapter - version 702, a\u00a0high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this,\u00a0such user can control\u00a0the behaviour of the application. This leads to considerable impact on confidentiality, integrity and availability.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2024-01-09T01:18:19.305Z"}, "references": [{"url": "https://me.sap.com/notes/3411869"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Code Injection vulnerability in SAP Application Interface Framework (File Adapter)", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.109Z"}, "title": "CVE Program Container", "references": [{"url": "https://me.sap.com/notes/3411869", "tags": ["x_transferred"]}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:application_interface_framework:702:*:*:*:*:*:*:*", "matchCriteriaId": "30146C01-CD00-4100-BB51-7ADD88F69A64", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In SAP Application Interface Framework File Adapter - version 702, a\u00a0high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this,\u00a0such user can control\u00a0the behaviour of the application. This leads to considerable impact on confidentiality, integrity and availability.\n\n"}, {"lang": "es", "value": "En SAP Application Interface Framework File Adapter, versi\u00f3n 702, un usuario con privilegios elevados puede utilizar un m\u00f3dulo de funciones para atravesar varias capas y ejecutar comandos del sistema operativo directamente. De esta forma, dicho usuario puede controlar el comportamiento de la aplicaci\u00f3n. Esto tiene un impacto considerable en la confidencialidad, la integridad y la disponibilidad."}], "id": "CVE-2024-21737", "lastModified": "2024-01-16T17:45:47.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "cna@sap.com", "type": "Secondary"}]}, "published": "2024-01-09T02:15:45.823", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3411869"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "cna@sap.com", "type": "Primary"}]}