Improper Control of Dynamically-Identified Variables

CVE-2024-54198

High

8.5/10

Summary

In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: CHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-914 - Improper Control of Dynamically-Identified Variables

The software does not properly restrict reading from or writing to dynamically-identified variables.

References

Advisory Timeline

Published Dec 10, 2024

Improper Control of Dynamically-Identified Variables

CVE-2024-54198

Summary

CWE-914 - Improper Control of Dynamically-Identified Variables

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS