Impact
SAP HANA Database user self‑service tools allow an unauthenticated attacker to send crafted requests that yield distinct responses. These responses let the attacker determine which usernames and associated email addresses exist in the system. The vulnerability provides low‑severity confidentiality exposure; it does not affect the integrity or availability of the application.
Affected Systems
The affected product is SAP HANA Extended Application Services classic model (User Self Service) from SAP SE. No specific version details are listed in the CNA data; all installations of this component are potentially impacted.
Risk and Exploitability
The CVSS score of 3.7 indicates a low overall severity. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited or no evidence of active exploitation in the wild. The likely attack vector is remote over the web interface used for user self‑service; an attacker can craft requests from any network that can reach the service. Since the attack requires no authentication, it is easily repeatable and could be automated if the service is exposed to the internet.
OpenCVE Enrichment