CVE-2025-0058 — Authorization Bypass Through User-Controlled Key in SE SAP Business Workflow AND SAP Flexible Workflow

CWE-639 — Authorization Bypass Through User-Controlled Key3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 68.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Business Workflow AND SAP Flexible Workflow SAP Basis

Timeline

PublishedJan 14

Description

In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the information or to make the information unavailable.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5sap_se/sap_business_workflow_and_sap_flexible_workflow9 versions+8

▶NVDsap/sap_basis9 versions+8

Patches

Patch: url.sap ↗

🔴Vulnerability Details

CVEList

Information Disclosure vulnerability in SAP Business Workflow and SAP Flexible Workflow↗2025-01-14

▶

GHSA

GHSA-qgh2-cjfr-4xrc: In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request t↗2025-01-14

▶