Analysis Summary

CVE-2024-37171 CVSS:5

SAP Transportation Management is vulnerable to server-side request forgery, caused by improper input validation. By using a specially crafted argument, an attacker could exploit this vulnerability to conduct SSRF attack to obtain sensitive service information.

CVE-2024-34689 CVSS:5

SAP Business Workflow is vulnerable to server-side request forgery, caused by improper input validation. By sending specially crafted HTTP requests, an attacker could exploit this vulnerability to conduct SSRF attack to enumerate accessible HTTP endpoints.

CVE-2024-42375 CVSS:4.3

SAP BusinessObjects Business Intelligence Platform could allow a remote authenticated attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious file, which could allow the attacker to execute arbitrary code on the vulnerable system.

Impact

• Gain Access

Indicators of Compromise

CVE

• CVE-2024-37171
• CVE-2024-34689
• CVE-2024-42375

Affected Vendors

Remediation

Current SAP customers should refer to SAP for patch information, available from the SAP Website (login required).

CVE-2024-37171

CVE-2024-34689

CVE-2024-42375