Attack on WebFlow Services Exposes Internal Network Endpoints
CVE-2024-34689

5MEDIUM

Key Information:

Vendor: SAP
Status: SAP Business Workflow (webflow Services)
Vendor: CVE Published:; 9 July 2024

Summary

WebFlow Services of SAP Business Workflow allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application.

Affected Version(s)

SAP Business Workflow (WebFlow Services) SAP_BASIS 700

SAP Business Workflow (WebFlow Services) SAP_BASIS 701

SAP Business Workflow (WebFlow Services) SAP_BASIS 702

References

https://url.sap/sapsecuritypatchday

https://me.sap.com/notes/3458789

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jul 9, 2024
Vulnerability Reserved
May 7, 2024