CVE-2024-34684 - OpenCVE

On Unix, SAP BusinessObjects Business Intelligence Platform (Scheduling) allows an authenticated attacker with administrator access on the local server to access the password of a local account. As a result, an attacker can obtain non-administrative user credentials, which will allow them to read or modify the remote server files.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Businessobjects Business Intelligence Platform

Configuration 1 [-]

OR	cpe:2.3:a:sap:businessobjects_business_intelligence_platform:420::::enterprise:::
	cpe:2.3:a:sap:businessobjects_business_intelligence_platform:430:::::::*
	cpe:2.3:a:sap:businessobjects_business_intelligence_platform:440:::::::*

No data.

References

Link	Providers
https://me.sap.com/notes/3441817
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html

History

Fri, 09 Aug 2024 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Sap businessobjects Business Intelligence Platform
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:sap:businessobjects_business_intelligence_platform:420::::enterprise::: cpe:2.3:a:sap:businessobjects_business_intelligence_platform:430:::::::* cpe:2.3:a:sap:businessobjects_business_intelligence_platform:440:::::::*
Vendors & Products		Sap Sap businessobjects Business Intelligence Platform

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2024-06-11T02:20:31.354Z

Updated: 2024-08-02T02:59:21.825Z

Reserved: 2024-05-07T05:46:11.657Z

Link: CVE-2024-34684

Vulnrichment

Updated: 2024-08-02T02:59:21.825Z

NVD

Status : Analyzed

Published: 2024-06-11T03:15:10.863

Modified: 2024-08-09T19:15:17.677

Link: CVE-2024-34684

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34684", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2024-05-07T05:46:11.657Z", "datePublished": "2024-06-11T02:20:31.354Z", "dateUpdated": "2024-08-02T02:59:21.825Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP BusinessObjects Business Intelligence Platform", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "ENTERPRISE 420"}, {"status": "affected", "version": "430"}, {"status": "affected", "version": "440"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "On Unix, SAP BusinessObjects Business\nIntelligence Platform (Scheduling) allows an authenticated attacker with\nadministrator access on the local server to access the password of a local\naccount. As a result, an attacker can obtain non-administrative user\ncredentials, which will allow them to read or modify the remote server files.\n\n\n\n"}], "value": "On Unix, SAP BusinessObjects Business\nIntelligence Platform (Scheduling) allows an authenticated attacker with\nadministrator access on the local server to access the password of a local\naccount. As a result, an attacker can obtain non-administrative user\ncredentials, which will allow them to read or modify the remote server files."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2024-06-11T02:20:31.354Z"}, "references": [{"url": "https://me.sap.com/notes/3441817"}, {"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling)", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-11T15:54:46.187310Z", "id": "CVE-2024-34684", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T15:54:55.656Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:59:21.825Z"}, "title": "CVE Program Container", "references": [{"url": "https://me.sap.com/notes/3441817", "tags": ["x_transferred"]}, {"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://me.sap.com/notes/3441817", "tags": ["x_transferred"]}, {"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:59:21.825Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34684", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-11T15:54:46.187310Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T15:54:51.883Z"}}], "cna": {"title": "Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling)", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP BusinessObjects Business Intelligence Platform", "versions": [{"status": "affected", "version": "ENTERPRISE 420"}, {"status": "affected", "version": "430"}, {"status": "affected", "version": "440"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3441817"}, {"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "On Unix, SAP BusinessObjects Business\nIntelligence Platform (Scheduling) allows an authenticated attacker with\nadministrator access on the local server to access the password of a local\naccount. As a result, an attacker can obtain non-administrative user\ncredentials, which will allow them to read or modify the remote server files.", "supportingMedia": [{"type": "text/html", "value": "On Unix, SAP BusinessObjects Business\nIntelligence Platform (Scheduling) allows an authenticated attacker with\nadministrator access on the local server to access the password of a local\naccount. As a result, an attacker can obtain non-administrative user\ncredentials, which will allow them to read or modify the remote server files.\n\n\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2024-06-11T02:20:31.354Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34684", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:59:21.825Z", "dateReserved": "2024-05-07T05:46:11.657Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2024-06-11T02:20:31.354Z", "assignerShortName": "sap"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:businessobjects_business_intelligence_platform:420:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B8F5EEB7-5ED5-4887-9691-0455B54A74C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:businessobjects_business_intelligence_platform:430:*:*:*:*:*:*:*", "matchCriteriaId": "3E3DF21A-C043-4F60-944D-7ADD6BDDDF51", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:businessobjects_business_intelligence_platform:440:*:*:*:*:*:*:*", "matchCriteriaId": "A6862DB5-197F-4B12-96B0-1FA764F4BAAC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "On Unix, SAP BusinessObjects Business\nIntelligence Platform (Scheduling) allows an authenticated attacker with\nadministrator access on the local server to access the password of a local\naccount. As a result, an attacker can obtain non-administrative user\ncredentials, which will allow them to read or modify the remote server files."}, {"lang": "es", "value": "En Unix, SAP BusinessObjects Business Intelligence Platform (Scheduling) permite que un atacante autenticado con acceso de administrador en el servidor local acceda a la contrase\u00f1a de una cuenta local. Como resultado, un atacante puede obtener credenciales de usuario no administrativas, que le permitir\u00e1n leer o modificar los archivos del servidor remoto."}], "id": "CVE-2024-34684", "lastModified": "2024-08-09T19:15:17.677", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 2.7, "source": "cna@sap.com", "type": "Secondary"}]}, "published": "2024-06-11T03:15:10.863", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3441817"}, {"source": "cna@sap.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "cna@sap.com", "type": "Secondary"}]}