CVE-2024-42380
MEDIUMSAP NetWeaver Application Server for ABAP and ABAP Platform - Missing Authorization in RFC Function Module
Title source: llmDescription
The RFC enabled function module allows a low privileged user to read any user's workplace favourites and user menu along with all the specific data of each node. Usernames can be enumerated by exploiting vulnerability. There is low impact on confidentiality of the application.
References (2)
Core 2
Core References
Vendor Advisory
https://me.sap.com/notes/3488039
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
4.3
EPSS
0.0011
EPSS Percentile
28.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (15)
SAP_SE/SAP NetWeaver Application Server for ABAP and ABAP Platform
700
SAP_SE/SAP NetWeaver Application Server for ABAP and ABAP Platform
701
SAP_SE/SAP NetWeaver Application Server for ABAP and ABAP Platform
702
SAP_SE/SAP NetWeaver Application Server for ABAP and ABAP Platform
731
SAP_SE/SAP NetWeaver Application Server for ABAP and ABAP Platform
740
SAP_SE/SAP NetWeaver Application Server for ABAP and ABAP Platform
750
SAP_SE/SAP NetWeaver Application Server for ABAP and ABAP Platform
751
SAP_SE/SAP NetWeaver Application Server for ABAP and ABAP Platform
752
SAP_SE/SAP NetWeaver Application Server for ABAP and ABAP Platform
753
SAP_SE/SAP NetWeaver Application Server for ABAP and ABAP Platform
754
... and 5 more
Published
Sep 10, 2024
Tracked Since
Feb 18, 2026