CVE-2024-42374
XML Injection (aka Blind XPath Injection) (CWE-91)
Summary
The vulnerability affects the BEx Web Java Runtime Export Web Service, which does not sufficiently validate XML documents accepted from untrusted sources. This vulnerability allows an attacker to retrieve information from the SAP ADS system and exhaust the number of XMLForm services, potentially making the SAP ADS rendering (PDF creation) unavailable.
Impact
The impact of this vulnerability is significant: 1. Confidentiality breach: Attackers can retrieve information from the SAP ADS system, potentially exposing sensitive data. 2. Availability compromise: By exhausting the XMLForm services, attackers can make the SAP ADS rendering (PDF creation) unavailable, disrupting normal business operations. 3. The vulnerability has a CVSS v3.1 base score of 8.2 (High), with the following vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H. This indicates: - Network-based attack vector - Low attack complexity - No privileges required - No user interaction needed - Low confidentiality impact - High availability impact The vulnerability is classified as XML Injection (CWE-91), also known as Blind XPath Injection. This type of attack can lead to unauthorized access to data and potential system compromise.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available for this vulnerability. SAP has released a security patch, which can be found at https://url.sap/sapsecuritypatchday. The patch was added on September 16, 2024.
Mitigation
To mitigate this vulnerability, consider the following recommendations: 1. Apply the available security patch from SAP as soon as possible. 2. Prioritize patching for the following affected products and versions: - BEx Web Java Runtime Export Web Service: - bi-base-b_7.5 - bi-base-e_7.5 - bi-base-s_7.5 - bi-ibc_7.5 - biwebapp_7.5 3. Implement input validation and sanitization for XML documents, especially those from untrusted sources. 4. Use XML parsing libraries that are resistant to XML injection attacks. 5. Implement proper access controls and authentication mechanisms to limit exposure. 6. Monitor systems for unusual activity, particularly focusing on XML-related operations and PDF rendering services. 7. Consider implementing XML firewalls or Web Application Firewalls (WAF) to filter malicious XML content. 8. Regularly update and patch all SAP systems, not just those directly affected by this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Timeline
NVD published the first details for CVE-2024-42374
Feedly found the first article mentioning CVE-2024-42374. See article
Feedly estimated the CVSS score as MEDIUM