Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-39597

Summary
Assigner-sap
Assigner Org ID-e4686d1a-f260-4930-ac4c-2f5c992778dd
Published At-09 Jul, 2024 | 03:48
Updated At-02 Aug, 2024 | 04:26
Rejected At-
Credits

[CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce

In SAP Commerce, a user can misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:sap
Assigner Org ID:e4686d1a-f260-4930-ac4c-2f5c992778dd
Published At:09 Jul, 2024 | 03:48
Updated At:02 Aug, 2024 | 04:26
Rejected At:
▼CVE Numbering Authority (CNA)
[CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce

In SAP Commerce, a user can misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites.

Affected Products
Vendor
SAP SESAP_SE
Product
SAP Commerce
Default Status
unaffected
Versions
Affected
  • HY_COM 2205
  • COM_CLOUD 2211
Problem Types
TypeCWE IDDescription
CWECWE-285CWE-285: Improper Authorization
Type: CWE
CWE ID: CWE-285
Description: CWE-285: Improper Authorization
Metrics
VersionBase scoreBase severityVector
3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://url.sap/sapsecuritypatchday
N/A
https://me.sap.com/notes/3490515
N/A
Hyperlink: https://url.sap/sapsecuritypatchday
Resource: N/A
Hyperlink: https://me.sap.com/notes/3490515
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
SAP SEsap
Product
commerce_hycom
CPEs
  • cpe:2.3:a:sap:commerce_hycom:2205:*:*:*:*:*:*:*
Default Status
unaffected
Versions
Affected
  • 2205
Vendor
SAP SEsap
Product
commerce_cloud
CPEs
  • cpe:2.3:a:sap:commerce_cloud:2211:*:*:*:*:*:*:*
Default Status
unaffected
Versions
Affected
  • 2211
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://url.sap/sapsecuritypatchday
x_transferred
https://me.sap.com/notes/3490515
x_transferred
Hyperlink: https://url.sap/sapsecuritypatchday
Resource:
x_transferred
Hyperlink: https://me.sap.com/notes/3490515
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@sap.com
Published At:09 Jul, 2024 | 04:15
Updated At:09 Jul, 2024 | 18:19

In SAP Commerce, a user can misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-285Primarycna@sap.com
CWE ID: CWE-285
Type: Primary
Source: cna@sap.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://me.sap.com/notes/3490515cna@sap.com
N/A
https://url.sap/sapsecuritypatchdaycna@sap.com
N/A
Hyperlink: https://me.sap.com/notes/3490515
Source: cna@sap.com
Resource: N/A
Hyperlink: https://url.sap/sapsecuritypatchday
Source: cna@sap.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2024-54197
Matching Score-8
Assigner-SAP SE
ShareView Details
Matching Score-8
Assigner-SAP SE
CVSS Score-7.2||HIGH
EPSS-0.08% / 24.13%
||
7 Day CHG+0.01%
Published-10 Dec, 2024 | 00:12
Updated-10 Dec, 2024 | 21:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery in SAP NetWeaver Administrator (System Overview)

SAP NetWeaver Administrator(System Overview) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in Server-Side Request Forgery (SSRF) which could have a low impact on integrity and confidentiality of data. It has no impact on availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver Administrator(System Overview)
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2020-6311
Matching Score-6
Assigner-SAP SE
ShareView Details
Matching Score-6
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.17% / 38.51%
||
7 Day CHG~0.00%
Published-09 Sep, 2020 | 13:12
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Banking services from SAP 9.0 (Bank Analyzer), version - 500, and SAP S/4HANA for financial products subledger, version � 100, does not correctly perform necessary authorization checks for an authenticated user due to Improper Authorization checks, that may cause a system administrator to create incorrect authorization proposals. This may result in privilege escalation and may expose restricted banking data.

Action-Not Available
Vendor-SAP SE
Product-s\/4hana_for_financial_products_subledgerbank_analyzerBANKING SERVICES FROM SAP 9.0(Bank Analyzer)S/4HANA FIN PROD SUBLDGR
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-31384
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-7.2||HIGH
EPSS-0.36% / 57.71%
||
7 Day CHG~0.00%
Published-19 Oct, 2021 | 18:17
Updated-16 Sep, 2024 | 17:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junos OS: SRX Series: Under a specific device configuration an attacker can access the devices J-Web management services from any interface, regardless of security settings protecting the service

Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an attacker who attempts to access J-Web administrative interfaces can successfully do so from any device interface regardless of the web-management configuration and filter rules which may otherwise protect access to J-Web. This issue affects: Juniper Networks Junos OS SRX Series 20.4 version 20.4R1 and later versions prior to 20.4R2-S1, 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2. This issue does not affect Juniper Networks Junos OS versions prior to 20.4R1.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-srx5400srx5800srx4200srx550srx300srx5600junossrx4100srx4600srx1500Junos OS
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-551
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CWE ID-CWE-939
Improper Authorization in Handler for Custom URL Scheme
Details not found