CVE-2024-22131

Code Injection vulnerability in SAP ABA (Application Basis)

Severity Score

9.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, an attacker authenticated as a user with a remote execution authorization can use a vulnerable interface. This allows the attacker to use the interface to invoke an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can read or modify any user/business data and can make the entire system unavailable.

En SAP ABA (Application Basis), versiones 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, un atacante autenticado como usuario con autorización de ejecución remota puede utilizar una interfaz vulnerable. Esto permite al atacante utilizar la interfaz para invocar una función de la aplicación para realizar acciones que normalmente no se le permitiría realizar. Dependiendo de la función ejecutada, el ataque puede leer o modificar cualquier dato de usuario/empresa y puede hacer que todo el sistema no esté disponible.

*Credits: N/A

CVSS Scores

SAP SEv3.1 9.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-01-05 CVE Reserved
2024-02-13 CVE Published
2024-08-01 CVE Updated
2024-10-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (2)

URL	Tag	Source
https://me.sap.com/notes/3420923
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
SAP SE Search vendor "SAP SE"		SAP ABA (Application Basis) Search vendor "SAP SE" for product "SAP ABA (Application Basis)"				700 Search vendor "SAP SE" for product "SAP ABA (Application Basis)" and version "700"		en		Affected
SAP SE Search vendor "SAP SE"		SAP ABA (Application Basis) Search vendor "SAP SE" for product "SAP ABA (Application Basis)"				701 Search vendor "SAP SE" for product "SAP ABA (Application Basis)" and version "701"		en		Affected
SAP SE Search vendor "SAP SE"		SAP ABA (Application Basis) Search vendor "SAP SE" for product "SAP ABA (Application Basis)"				702 Search vendor "SAP SE" for product "SAP ABA (Application Basis)" and version "702"		en		Affected
SAP SE Search vendor "SAP SE"		SAP ABA (Application Basis) Search vendor "SAP SE" for product "SAP ABA (Application Basis)"				731 Search vendor "SAP SE" for product "SAP ABA (Application Basis)" and version "731"		en		Affected
SAP SE Search vendor "SAP SE"		SAP ABA (Application Basis) Search vendor "SAP SE" for product "SAP ABA (Application Basis)"				740 Search vendor "SAP SE" for product "SAP ABA (Application Basis)" and version "740"		en		Affected
SAP SE Search vendor "SAP SE"		SAP ABA (Application Basis) Search vendor "SAP SE" for product "SAP ABA (Application Basis)"				750 Search vendor "SAP SE" for product "SAP ABA (Application Basis)" and version "750"		en		Affected
SAP SE Search vendor "SAP SE"		SAP ABA (Application Basis) Search vendor "SAP SE" for product "SAP ABA (Application Basis)"				751 Search vendor "SAP SE" for product "SAP ABA (Application Basis)" and version "751"		en		Affected
SAP SE Search vendor "SAP SE"		SAP ABA (Application Basis) Search vendor "SAP SE" for product "SAP ABA (Application Basis)"				752 Search vendor "SAP SE" for product "SAP ABA (Application Basis)" and version "752"		en		Affected
SAP SE Search vendor "SAP SE"		SAP ABA (Application Basis) Search vendor "SAP SE" for product "SAP ABA (Application Basis)"				75 Search vendor "SAP SE" for product "SAP ABA (Application Basis)" and version "75"		en		Affected
SAP SE Search vendor "SAP SE"		SAP ABA (Application Basis) Search vendor "SAP SE" for product "SAP ABA (Application Basis)"				75 Search vendor "SAP SE" for product "SAP ABA (Application Basis)" and version "75"		en		Affected