CVE-2024-33003

Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation, this could lead to a High impact on confidentiality and integrity of the application.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://me.sap.com/notes/3459935	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:commerce_cloud:1811:::::::*
	cpe:2.3:a:sap:commerce_cloud:1905:::::::*
	cpe:2.3:a:sap:commerce_cloud:2005:::::::*
	cpe:2.3:a:sap:commerce_cloud:2011:::::::*
	cpe:2.3:a:sap:commerce_cloud:2105:::::::*
	cpe:2.3:a:sap:commerce_cloud:2205:::::::*
	cpe:2.3:a:sap:commerce_cloud:com_cloud_2211:::::::*
	cpe:2.3:a:sap:commerce_cloud:hy_com_1808:::::::*

History

No history.

Information

Published : 2024-08-13 04:15

Updated : 2024-09-16 16:22

NVD link : CVE-2024-33003

Mitre link : CVE-2024-33003

CVE.ORG link : CVE-2024-33003

JSON object : View

Products Affected

sap

commerce_cloud

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

{"id": "CVE-2024-33003", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2024-08-13T04:15:07.380", "references": [{"url": "https://me.sap.com/notes/3459935", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://url.sap/sapsecuritypatchday", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Some OCC API endpoints in SAP Commerce Cloud\nallows Personally Identifiable Information (PII) data, such as passwords, email\naddresses, mobile numbers, coupon codes, and voucher codes, to be included in\nthe request URL as query or path parameters. On successful exploitation, this\ncould lead to a High impact on confidentiality and integrity of the\napplication."}, {"lang": "es", "value": "Algunos endpoints de la API de OCC en SAP Commerce Cloud permiten que se incluyan datos de informaci\u00f3n de identificaci\u00f3n personal (PII), como contrase\u00f1as, direcciones de correo electr\u00f3nico, n\u00fameros de tel\u00e9fono m\u00f3vil, c\u00f3digos de cup\u00f3n y c\u00f3digos de vale, en la URL de solicitud como par\u00e1metros de consulta o ruta. Si se explota con \u00e9xito, esto podr\u00eda tener un alto impacto en la confidencialidad y la integridad de la aplicaci\u00f3n."}], "lastModified": "2024-09-16T16:22:07.617", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A9DE60D1-95FF-4220-AE63-2C351781FDA1"}, {"criteria": "cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "19E11B22-F514-48D6-B78F-8A64CE1BA364"}, {"criteria": "cpe:2.3:a:sap:commerce_cloud:2005:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DA3BA250-AB0A-4A27-A81C-C3EECD71B521"}, {"criteria": "cpe:2.3:a:sap:commerce_cloud:2011:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "41BF14BC-9250-4534-AD6D-2C25B64AA78F"}, {"criteria": "cpe:2.3:a:sap:commerce_cloud:2105:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0DBCE898-8BC5-4B02-920D-8EBB1CA4A6B6"}, {"criteria": "cpe:2.3:a:sap:commerce_cloud:2205:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "391FB1C6-1A52-4E53-B042-44D592AEC7A5"}, {"criteria": "cpe:2.3:a:sap:commerce_cloud:com_cloud_2211:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8A311D9-0059-4DC6-AF86-5041493FB891"}, {"criteria": "cpe:2.3:a:sap:commerce_cloud:hy_com_1808:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FBCD8DEB-0406-4CFC-8033-9253777DE968"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}