CVE-2024-42374

BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source. An attacker can retrieve information from the SAP ADS system and exhaust the number of XMLForm service which makes the SAP ADS rendering (PDF creation) unavailable. This affects the confidentiality and availability of the application.
References
Link Resource
https://me.sap.com/notes/3485284 Permissions Required
https://url.sap/sapsecuritypatchday Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sap:bex_web_java_runtime_export_web_service:bi-base-b_7.5:*:*:*:*:*:*:*
cpe:2.3:a:sap:bex_web_java_runtime_export_web_service:bi-base-e_7.5:*:*:*:*:*:*:*
cpe:2.3:a:sap:bex_web_java_runtime_export_web_service:bi-base-s_7.5:*:*:*:*:*:*:*
cpe:2.3:a:sap:bex_web_java_runtime_export_web_service:bi-ibc_7.5:*:*:*:*:*:*:*
cpe:2.3:a:sap:bex_web_java_runtime_export_web_service:biwebapp_7.5:*:*:*:*:*:*:*

History

16 Sep 2024, 16:25

Type Values Removed Values Added
First Time Sap
Sap bex Web Java Runtime Export Web Service
References () https://me.sap.com/notes/3485284 - () https://me.sap.com/notes/3485284 - Permissions Required
References () https://url.sap/sapsecuritypatchday - () https://url.sap/sapsecuritypatchday - Vendor Advisory
CPE cpe:2.3:a:sap:bex_web_java_runtime_export_web_service:bi-base-b_7.5:*:*:*:*:*:*:*
cpe:2.3:a:sap:bex_web_java_runtime_export_web_service:bi-ibc_7.5:*:*:*:*:*:*:*
cpe:2.3:a:sap:bex_web_java_runtime_export_web_service:bi-base-s_7.5:*:*:*:*:*:*:*
cpe:2.3:a:sap:bex_web_java_runtime_export_web_service:bi-base-e_7.5:*:*:*:*:*:*:*
cpe:2.3:a:sap:bex_web_java_runtime_export_web_service:biwebapp_7.5:*:*:*:*:*:*:*
Summary
  • (es) El servicio web BEx Web Java Runtime Export no valida suficientemente un documento XML aceptado de una fuente que no es de confianza. Un atacante puede recuperar información del sistema SAP ADS y agotar la cantidad de servicios XMLForm, lo que hace que la representación de SAP ADS (creación de PDF) no esté disponible. Esto afecta la confidencialidad y disponibilidad de la aplicación.

13 Aug 2024, 04:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-13 04:15

Updated : 2024-09-16 16:25


NVD link : CVE-2024-42374

Mitre link : CVE-2024-42374

CVE.ORG link : CVE-2024-42374


JSON object : View

Products Affected

sap

  • bex_web_java_runtime_export_web_service
CWE
CWE-91

XML Injection (aka Blind XPath Injection)