// For flags

CVE-2024-37171

[CVE-2024-37171] Server-Side Request Forgery (SSRF) in SAP Transportation Management (Collaboration Portal)

Severity Score

5.0
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

SAP Transportation Management (Collaboration
Portal) allows an attacker with non-administrative privileges to send a crafted
request from a vulnerable web application. This will trigger the application
handler to send a request to an unintended service, which may reveal
information about that service. The information obtained could be used to
target internal systems behind firewalls that are normally inaccessible to an
attacker from the external network, resulting in a Server-Side Request Forgery
vulnerability. There is no effect on integrity or availability of the
application.

SAP Transportation Management (Collaboration Portal) permite a un atacante con privilegios no administrativos enviar una solicitud manipulada desde una aplicación web vulnerable. Esto hará que el controlador de la aplicación envíe una solicitud a un servicio no deseado, lo que puede revelar información sobre ese servicio. La información obtenida podría usarse para apuntar a sistemas internos detrás de firewalls que normalmente son inaccesibles para un atacante desde la red externa, lo que resultaría en una vulnerabilidad de falsificación de solicitudes del lado del servidor. No hay ningún efecto sobre la integridad o disponibilidad de la aplicación.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-06-04 CVE Reserved
  • 2024-07-09 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-09-10 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
SAP SE
Search vendor "SAP SE"
 SAP Transportation Management (Collaboration Portal)
Search vendor "SAP SE" for product "SAP Transportation Management (Collaboration Portal)"
 140
Search vendor "SAP SE" for product "SAP Transportation Management (Collaboration Portal)" and version "140"
en
Affected
SAP SE
Search vendor "SAP SE"
 SAP Transportation Management (Collaboration Portal)
Search vendor "SAP SE" for product "SAP Transportation Management (Collaboration Portal)"
 150
Search vendor "SAP SE" for product "SAP Transportation Management (Collaboration Portal)" and version "150"
en
Affected
SAP SE
Search vendor "SAP SE"
 SAP Transportation Management (Collaboration Portal)
Search vendor "SAP SE" for product "SAP Transportation Management (Collaboration Portal)"
 160
Search vendor "SAP SE" for product "SAP Transportation Management (Collaboration Portal)" and version "160"
en
Affected
SAP SE
Search vendor "SAP SE"
 SAP Transportation Management (Collaboration Portal)
Search vendor "SAP SE" for product "SAP Transportation Management (Collaboration Portal)"
 170
Search vendor "SAP SE" for product "SAP Transportation Management (Collaboration Portal)" and version "170"
en
Affected