Auth bypass in Sap Content_server
CVE-2024-33005
Due to the missing authorization checks in the local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application Server (ABAP and Java), and SAP Content Server can impersonate other users and may perform some unintended actio…
Vulnerability class: Broken Access Control
EPSS: 0.002 (11.0th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.3 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H.
Affected products
- Sap Content_server — versions kernel_7.22, kernel_7.53, kernel_7.54
- Sap Netweaver_abap — versions kernel_7.22, kernel_7.53, kernel_7.54
- Sap Netweaver_java — versions kernel_7.22, kernel_7.53, kernel_7.54
- Sap Web_dispatcher — versions kernel_7.22, kernel_7.53, kernel_7.54
- Sap_se Sap Netweaver Application Server (Abap And Java),sap Web Dispatcher Content — versions KRNL64NUC 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22
Weakness classification (CWE)
Public proof-of-concept exploits
References
- cna@sap.com (Permissions Required)
- cna@sap.com (Vendor Advisory)
Frequently asked questions
- What is CVE-2024-33005?
- CVE-2024-33005 is a medium-severity vulnerability in Sap Content_server, classified under Missing Authorization. CVSS score: 6.3/10. Published 2024-08-13.
- How severe is CVE-2024-33005?
- Medium severity. CVSS v3 base score is 6.3 out of 10.
- Is CVE-2024-33005 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.