CVE-2024-28167

Summary

SAP Group Reporting Data Collection does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation, specific data can be changed via the Enter Package Data app although the user does not have sufficient authorization causing high impact on Integrity of the appliction.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP Group Reporting Data Collection (Enter Package Data)S4CORE 104affected
SAP_SESAP Group Reporting Data Collection (Enter Package Data)S4CORE 105affected
SAP_SESAP Group Reporting Data Collection (Enter Package Data)S4CORE 106affected
SAP_SESAP Group Reporting Data Collection (Enter Package Data)S4CORE 107affected
SAP_SESAP Group Reporting Data Collection (Enter Package Data)S4CORE 108affected
SAP_SESAP Group Reporting Data Collection (Enter Package Data)SAP_GRDC_CLOUD 1.0.0affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References