Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2024-33003

Published: Aug 13, 2024 | Modified: Sep 16, 2024
CVSS 3.x
9.1
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2024-33003
CWEhttps://cwe.mitre.org/data/definitions/.html

Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation, this could lead to a High impact on confidentiality and integrity of the application.

Affected Software

Name Vendor Start Version End Version
Commerce_cloud Sap 1811 (including) 1811 (including)
Commerce_cloud Sap 1905 (including) 1905 (including)
Commerce_cloud Sap 2005 (including) 2005 (including)
Commerce_cloud Sap 2011 (including) 2011 (including)
Commerce_cloud Sap 2105 (including) 2105 (including)
Commerce_cloud Sap 2205 (including) 2205 (including)
Commerce_cloud Sap com_cloud_2211 (including) com_cloud_2211 (including)
Commerce_cloud Sap hy_com_1808 (including) hy_com_1808 (including)

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use