#VU100243 Information disclosure in ABAP Platform and SAP NetWeaver AS ABAP - CVE-2024-47593

Cybersecurity Help s.r.o.

Published: 2024-11-12

Vulnerability identifier: #VU100243

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-47593

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ABAP Platform
Server applications / Application servers
SAP NetWeaver AS ABAP
Server applications / Application servers

Vendor: SAP

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an unspecified error in the application when reading. A remote attacker can read certain files from the server.

Note, the vulnerability exploitation is possible only if a Web Dispatcher or some sort of Proxy Server is in use and the file in question was previously opened or downloaded in an application based on SAP GUI for HTML Technology.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ABAP Platform: 7.53

SAP NetWeaver AS ABAP: 753 - 912

External links
https://me.sap.com/notes/3508947
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/november-2024.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in SAP ABAP Platform and SAP NetWeaver AS ABAP