CVE-2024-34689

Summary

WebFlow Services of SAP Business Workflow allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP Business Workflow (WebFlow Services)SAP_BASIS 700affected
SAP_SESAP Business Workflow (WebFlow Services)SAP_BASIS 701affected
SAP_SESAP Business Workflow (WebFlow Services)SAP_BASIS 702affected
SAP_SESAP Business Workflow (WebFlow Services)SAP_BASIS 731affected
SAP_SESAP Business Workflow (WebFlow Services)SAP_BASIS 740affected
SAP_SESAP Business Workflow (WebFlow Services)SAP_BASIS 750affected
SAP_SESAP Business Workflow (WebFlow Services)SAP_BASIS 751affected
SAP_SESAP Business Workflow (WebFlow Services)SAP_BASIS 752affected
SAP_SESAP Business Workflow (WebFlow Services)SAP_BASIS 753affected
SAP_SESAP Business Workflow (WebFlow Services)SAP_BASIS 754affected
SAP_SESAP Business Workflow (WebFlow Services)SAP_BASIS 755affected
SAP_SESAP Business Workflow (WebFlow Services)SAP_BASIS 756affected
SAP_SESAP Business Workflow (WebFlow Services)SAP_BASIS 757affected
SAP_SESAP Business Workflow (WebFlow Services)SAP_BASIS 758affected

Weaknesses

  • CWE-918: CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References