CVE-2024-42374 HIGH

CVE-2024-42374: XML injection in SAP BEx Web Java Runtime Export Web Service

Vendor Sap_Se

Product SAP BEx Web Java Runtime Export Web Service

Weakness CWE-91 · XML injection

Published August 13, 2024

Last update August 14, 2024

View on NVD All CVEs

CVSS base score

8.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

What the vulnerability does

Description

BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source. An attacker can retrieve information from the SAP ADS system and exhaust the number of XMLForm service which makes the SAP ADS rendering (PDF creation) unavailable. This affects the confidentiality and availability of the application.

Key dates

Disclosure timeline

August 13, 2024 CVE published

August 14, 2024 Record updated

Identifiers

CVE CVE-2024-42374

CWE CWE-91

CVSS 8.2 / HIGH

Affected versions

Vendor Sap_Se

Product SAP BEx Web Java Runtime Export Web Service

Affected BI-BASE-E 7.5

Vendor Sap_Se

Product SAP BEx Web Java Runtime Export Web Service

Affected BI-BASE-B 7.5

Vendor Sap_Se

Product SAP BEx Web Java Runtime Export Web Service

Affected BI-IBC 7.5

Vendor Sap_Se

Product SAP BEx Web Java Runtime Export Web Service

Affected BI-BASE-S 7.5

Vendor Sap_Se

Product SAP BEx Web Java Runtime Export Web Service

Affected BIWEBAPP 7.5