Authenticated HTTP Verb Manipulation in SAP CRM WebClient UI
CVE-2023-29189 Published on April 11, 2023

HTTP Verb Tampering vulnerability in SAP CRM (WebClient UI)
SAP CRM (WebClient UI) - versions S4FND 102, 103, 104, 105, 106, 107, WEBCUIF, 700, 701, 731, 730, 746, 747, 748, 800, 801, allows an authenticated attacker to modify HTTP verbs used in requests to the web server. This application is exposed over the network and successful exploitation can lead to exposure of form fields

NVD

Vulnerability Analysis

CVE-2023-29189 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

NONE

Weakness Type

Relative Path Traversal

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.

Products Associated with CVE-2023-29189

stack.watch emails you whenever new vulnerabilities are published in SAP Customer Relationship Management Webclient Ui or SAP Customer Relationship Management S4fnd. Just hit a watch button to start following.

SAP Customer Relationship Management Webclient Ui

SAP Customer Relationship Management S4fnd

Affected Versions

SAP CRM (WebClient UI):

Version S4FND 102 is affected.
Version S4FND 103 is affected.
Version S4FND 104 is affected.
Version S4FND 105 is affected.
Version S4FND 106 is affected.
Version S4FND 107 is affected.
Version WEBCUIF 700 is affected.
Version WEBCUIF 701 is affected.
Version WEBCUIF 731 is affected.
Version WEBCUIF 730 is affected.
Version WEBCUIF 746 is affected.
Version WEBCUIF 747 is affected.
Version WEBCUIF 748 is affected.
Version WEBCUIF 800 is affected.
Version WEBCUIF 801 is affected.

Exploit Probability

EPSS

0.38%

Percentile

58.69%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.