CVE-2024-39597 (GCVE-0-2024-39597)
Vulnerability from cvelistv5
Published
2024-07-09 03:48
Modified
2024-08-02 04:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
In SAP Commerce, a user can misuse the forgotten
password functionality to gain access to a Composable Storefront B2B site for
which early login and registration is activated, without requiring the merchant
to approve the account beforehand. If the site is not configured as isolated
site, this can also grant access to other non-isolated early login sites, even
if registration is not enabled for those other sites.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Commerce |
Version: HY_COM 2205 Version: COM_CLOUD 2211 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sap:commerce_hycom:2205:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "commerce_hycom",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "2205"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap:commerce_cloud:2211:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "commerce_cloud",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "2211"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39597",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T16:16:45.901701Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T16:20:38.023Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://url.sap/sapsecuritypatchday"
},
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3490515"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Commerce",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "HY_COM 2205"
},
{
"status": "affected",
"version": "COM_CLOUD 2211"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In SAP Commerce, a user can misuse the forgotten\npassword functionality to gain access to a Composable Storefront B2B site for\nwhich early login and registration is activated, without requiring the merchant\nto approve the account beforehand. If the site is not configured as isolated\nsite, this can also grant access to other non-isolated early login sites, even\nif registration is not enabled for those other sites.\n\n\n\n"
}
],
"value": "In SAP Commerce, a user can misuse the forgotten\npassword functionality to gain access to a Composable Storefront B2B site for\nwhich early login and registration is activated, without requiring the merchant\nto approve the account beforehand. If the site is not configured as isolated\nsite, this can also grant access to other non-isolated early login sites, even\nif registration is not enabled for those other sites."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T03:48:11.488Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://url.sap/sapsecuritypatchday"
},
{
"url": "https://me.sap.com/notes/3490515"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-39597",
"datePublished": "2024-07-09T03:48:11.488Z",
"dateReserved": "2024-06-26T09:58:24.095Z",
"dateUpdated": "2024-08-02T04:26:15.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-39597\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-09T16:16:45.901701Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:sap:commerce_hycom:2205:*:*:*:*:*:*:*\"], \"vendor\": \"sap\", \"product\": \"commerce_hycom\", \"versions\": [{\"status\": \"affected\", \"version\": \"2205\"}], \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:2.3:a:sap:commerce_cloud:2211:*:*:*:*:*:*:*\"], \"vendor\": \"sap\", \"product\": \"commerce_cloud\", \"versions\": [{\"status\": \"affected\", \"version\": \"2211\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-09T16:20:33.694Z\"}}], \"cna\": {\"title\": \"[CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SAP_SE\", \"product\": \"SAP Commerce\", \"versions\": [{\"status\": \"affected\", \"version\": \"HY_COM 2205\"}, {\"status\": \"affected\", \"version\": \"COM_CLOUD 2211\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://url.sap/sapsecuritypatchday\"}, {\"url\": \"https://me.sap.com/notes/3490515\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In SAP Commerce, a user can misuse the forgotten\\npassword functionality to gain access to a Composable Storefront B2B site for\\nwhich early login and registration is activated, without requiring the merchant\\nto approve the account beforehand. If the site is not configured as isolated\\nsite, this can also grant access to other non-isolated early login sites, even\\nif registration is not enabled for those other sites.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"In SAP Commerce, a user can misuse the forgotten\\npassword functionality to gain access to a Composable Storefront B2B site for\\nwhich early login and registration is activated, without requiring the merchant\\nto approve the account beforehand. If the site is not configured as isolated\\nsite, this can also grant access to other non-isolated early login sites, even\\nif registration is not enabled for those other sites.\\n\\n\\n\\n\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-285\", \"description\": \"CWE-285: Improper Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"shortName\": \"sap\", \"dateUpdated\": \"2024-07-09T03:48:11.488Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-39597\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-07-09T16:20:38.023Z\", \"dateReserved\": \"2024-06-26T09:58:24.095Z\", \"assignerOrgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"datePublished\": \"2024-07-09T03:48:11.488Z\", \"assignerShortName\": \"sap\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…