SAP CRM Vulnerability: Authenticated Attacker can Enumerate Accessible HTTP Endpoints
CVE-2024-39598

7.7HIGH

Key Information:

Vendor: SAP
Status: SAP Crm Webclient Ui
Vendor: CVE Published:; 9 July 2024

What is CVE-2024-39598?

The SAP CRM WebClient UI Framework is susceptible to a vulnerability that allows authenticated attackers to craft specific HTTP requests. By exploiting this flaw, attackers can enumerate the HTTP endpoints available within the internal network. Although this vulnerability does not affect the integrity or availability of the application, it poses a significant risk of information disclosure. Organizations utilizing this product should prioritize mitigating this vulnerability to protect sensitive information from unauthorized access.

Affected Version(s)

SAP CRM WebClient UI S4FND 102

SAP CRM WebClient UI S4FND 103

SAP CRM WebClient UI S4FND 104

References

https://url.sap/sapsecuritypatchday

https://me.sap.com/notes/3467377

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 9, 2024
Vulnerability Reserved
Jun 26, 2024