CVE-2024-37171

Published: Jul 9, 2024Modified: Nov 21, 2024

5.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Exploitability: 3.1 / Impact: 1.4

Source: NVD

Description

SAP Transportation Management (Collaboration Portal) allows an attacker with non-administrative privileges to send a crafted request from a vulnerable web application. This will trigger the application handler to send a request to an unintended service, which may reveal information about that service. The information obtained could be used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. There is no effect on integrity or availability of the application.

Affected (5)

Products: Sap: Saptmui, Transportation Management

2 products

Transportation Management

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Sap Saptmui	Version 140
Sap Saptmui	Version 150
Sap Saptmui	Version 160
Sap Saptmui	Version 170
Sap Transportation Management	All versions

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

https://me.sap.com/notes/3469958

Source: cna@sap.com

Permissions Required

https://url.sap/sapsecuritypatchday

Source: cna@sap.com

Vendor Advisory

https://me.sap.com/notes/3469958

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

https://url.sap/sapsecuritypatchday

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.