CVE-2024-39598

Summary

SAP CRM (WebClient UI Framework) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP CRM WebClient UIS4FND 102affected
SAP_SESAP CRM WebClient UIS4FND 103affected
SAP_SESAP CRM WebClient UIS4FND 104affected
SAP_SESAP CRM WebClient UIS4FND 105affected
SAP_SESAP CRM WebClient UIS4FND 106affected
SAP_SESAP CRM WebClient UIS4FND 107affected
SAP_SESAP CRM WebClient UIS4FND 108affected
SAP_SESAP CRM WebClient UIWEBCUIF 701affected
SAP_SESAP CRM WebClient UIWEBCUIF 731affected
SAP_SESAP CRM WebClient UIWEBCUIF 746affected
SAP_SESAP CRM WebClient UIWEBCUIF 747affected
SAP_SESAP CRM WebClient UIWEBCUIF 748affected
SAP_SESAP CRM WebClient UIWEBCUIF 800affected
SAP_SESAP CRM WebClient UIWEBCUIF 801affected

Weaknesses

  • CWE-918: CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References