Analysis Summary

CVE-2024-42374 CVSS:8.2

SAP BEx Web Java Runtime Export Web Service could allow a local attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations. By using a specially crafted XML content, an attacker could exploit this vulnerability to obtain sensitive information from the SAP ADS system and exhaust the number of XMLForm service.

CVE-2024-33003 CVSS:7.4

SAP Commerce Cloud could allow a remote attacker to obtain sensitive information, caused by a flaw with including Personally Identifiable Information (PII) data in the request URL as query or path parameters. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2024-41730 CVSS:9.8

SAP BusinessObjects Business Intelligence Platform could allow a remote attacker to bypass security restrictions, caused by a flaw when Single Signed On is enabled on Enterprise authentication. By sending a specially crafted request using a REST endpoint, an attacker could exploit this vulnerability to get a logon token to fully compromise the system.

Impact

• Security Bypass
• Information Disclosure

Indicators of Compromise

CVE

• CVE-2024-42374
• CVE-2024-33003
• CVE-2024-41730

Affected Vendors

Remediation

Current SAP customers should refer to SAP note for patch information, available from the SAP Web site (login required).

CVE-2024-42374

CVE-2024-33003

CVE-2024-41730