CVE-2024-37172 - Vulnerability Details - OpenCVE

SAP S/4HANA Finance (Advanced Payment
Management) does not perform necessary authorization check for an authenticated
user, resulting in escalation of privileges. As a result, it has a low impact
to confidentiality and availability but there is no impact on the integrity.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00154.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	S4core S\/4hana

Configuration 1 [-]

AND

OR	cpe:2.3:a:sap:s4core:107:::::::*
	cpe:2.3:a:sap:s4core:108:::::::*

cpe:2.3:a:sap:s\/4hana:-:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-36478	SAP S/4HANA Finance (Advanced Payment Management) does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. As a result, it has a low impact to confidentiality and availability but there is no impact on the integrity.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://me.sap.com/notes/3457354
https://url.sap/sapsecuritypatchday

History

Mon, 09 Sep 2024 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Sap s4core Sap s\/4hana
CPEs		cpe:2.3:a:sap:s4core:107:::::::* cpe:2.3:a:sap:s4core:108:::::::* cpe:2.3:a:sap:s\/4hana:-:::::::*
Vendors & Products		Sap Sap s4core Sap s\/4hana

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2024-07-09T04:15:22.833Z

Updated: 2024-08-02T03:50:54.731Z

Reserved: 2024-06-04T07:49:42.491Z

Link: CVE-2024-37172

Vulnrichment

Updated: 2024-08-02T03:50:54.731Z

NVD

Status : Modified

Published: 2024-07-09T05:15:11.607

Modified: 2024-11-21T09:23:21.367

Link: CVE-2024-37172

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37172", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2024-06-04T07:49:42.491Z", "datePublished": "2024-07-09T04:15:22.833Z", "dateUpdated": "2024-08-02T03:50:54.731Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP S/4HANA Finance (Advanced Payment Management)", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "S4CORE 107"}, {"status": "affected", "version": "S4CORE 108"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SAP S/4HANA Finance (Advanced Payment\nManagement) does not perform necessary authorization check for an authenticated\nuser, resulting in escalation of privileges. As a result, it has a low impact\nto confidentiality and availability but there is no impact on the integrity.\n\n\n\n"}], "value": "SAP S/4HANA Finance (Advanced Payment\nManagement) does not perform necessary authorization check for an authenticated\nuser, resulting in escalation of privileges. As a result, it has a low impact\nto confidentiality and availability but there is no impact on the integrity."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2024-07-09T04:15:22.833Z"}, "references": [{"url": "https://url.sap/sapsecuritypatchday"}, {"url": "https://me.sap.com/notes/3457354"}], "source": {"discovery": "UNKNOWN"}, "title": "[CVE-2024-37172] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management)", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-09T15:16:10.095214Z", "id": "CVE-2024-37172", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-09T15:16:18.449Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:54.731Z"}, "title": "CVE Program Container", "references": [{"url": "https://url.sap/sapsecuritypatchday", "tags": ["x_transferred"]}, {"url": "https://me.sap.com/notes/3457354", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://url.sap/sapsecuritypatchday", "tags": ["x_transferred"]}, {"url": "https://me.sap.com/notes/3457354", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:54.731Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37172", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-09T15:16:10.095214Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-09T15:16:14.947Z"}}], "cna": {"title": "[CVE-2024-37172] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management)", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP S/4HANA Finance (Advanced Payment Management)", "versions": [{"status": "affected", "version": "S4CORE 107"}, {"status": "affected", "version": "S4CORE 108"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://url.sap/sapsecuritypatchday"}, {"url": "https://me.sap.com/notes/3457354"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "SAP S/4HANA Finance (Advanced Payment\nManagement) does not perform necessary authorization check for an authenticated\nuser, resulting in escalation of privileges. As a result, it has a low impact\nto confidentiality and availability but there is no impact on the integrity.", "supportingMedia": [{"type": "text/html", "value": "SAP S/4HANA Finance (Advanced Payment\nManagement) does not perform necessary authorization check for an authenticated\nuser, resulting in escalation of privileges. As a result, it has a low impact\nto confidentiality and availability but there is no impact on the integrity.\n\n\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2024-07-09T04:15:22.833Z"}}}, "cveMetadata": {"cveId": "CVE-2024-37172", "state": "PUBLISHED", "dateUpdated": "2024-08-02T03:50:54.731Z", "dateReserved": "2024-06-04T07:49:42.491Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2024-07-09T04:15:22.833Z", "assignerShortName": "sap"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:s4core:107:*:*:*:*:*:*:*", "matchCriteriaId": "5DEFABE8-1797-4C7B-941C-3205AE90914B", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s4core:108:*:*:*:*:*:*:*", "matchCriteriaId": "78832FB6-B1DD-4516-B1DF-D90BB58BF25A", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:sap:s\\/4hana:-:*:*:*:*:*:*:*", "matchCriteriaId": "61225714-D573-435F-9423-7AE6A8ED59BC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "SAP S/4HANA Finance (Advanced Payment\nManagement) does not perform necessary authorization check for an authenticated\nuser, resulting in escalation of privileges. As a result, it has a low impact\nto confidentiality and availability but there is no impact on the integrity."}, {"lang": "es", "value": "SAP S/4HANA Finance (Advanced Payment Management) no realiza la verificaci\u00f3n de autorizaci\u00f3n necesaria para un usuario autenticado, lo que resulta en una escalada de privilegios. Como resultado, tiene un bajo impacto en la confidencialidad y la disponibilidad, pero no tiene ning\u00fan impacto en la integridad."}], "id": "CVE-2024-37172", "lastModified": "2024-11-21T09:23:21.367", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "cna@sap.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-09T05:15:11.607", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3457354"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://url.sap/sapsecuritypatchday"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3457354"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Secondary"}]}