CVE-2024-34692

Due to missing verification of file type or content, SAP Enable Now allows an authenticated attacker to upload arbitrary files. These files include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker can cause limited impact on confidentiality and Integrity of the application.

CVSS v3 3.3 LOW

3.3^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.8 / Impact : 2.5

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://me.sap.com/notes/3476340	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory
https://me.sap.com/notes/3476340	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:enable_now:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-07-09 05:15

Updated : 2024-11-21 09:19

NVD link : CVE-2024-34692

Mitre link : CVE-2024-34692

CVE.ORG link : CVE-2024-34692

JSON object : View

Products Affected

sap

enable_now

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2024-34692", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 0.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.1}]}, "published": "2024-07-09T05:15:11.183", "references": [{"url": "https://me.sap.com/notes/3476340", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://url.sap/sapsecuritypatchday", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://me.sap.com/notes/3476340", "tags": ["Permissions Required"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://url.sap/sapsecuritypatchday", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "Due to missing verification of file type or\ncontent, SAP Enable Now allows an authenticated attacker to upload arbitrary\nfiles. These files include executables which might be downloaded and executed\nby the user which could host malware. On successful exploitation an attacker\ncan cause limited impact on confidentiality and Integrity of the application."}, {"lang": "es", "value": "Debido a la falta de verificaci\u00f3n del tipo o contenido del archivo, SAP Enable Now permite que un atacante autenticado cargue archivos arbitrarios. Estos archivos incluyen archivos ejecutables que el usuario puede descargar y ejecutar y que podr\u00edan alojar malware. Si un atacante la explota con \u00e9xito, puede causar un impacto limitado en la confidencialidad y la integridad de la aplicaci\u00f3n."}], "lastModified": "2024-11-21T09:19:12.490", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:enable_now:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E1C2C770-82FA-45DE-9EEA-E377501B05A9"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}