CVE-2025-43002External Control of Assumed-Immutable Web Parameter in SE SAP S4 Hana

CWE-472External Control of Assumed-Immutable Web Parameter3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 58.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP SE SAP S4 Hana
Timeline
PublishedMay 13

Description

SAP S4CORE OData meta-data property allows an authenticated attacker to access restricted information due to missing authorization check. This could cause a low impact on confidentiality but integrity and availability of the application are not impacted.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

CVEListV5sap_se/sap_s4_hana5 versions+4

🔴Vulnerability Details

2
CVEList
Missing Authorization check in SAP S4/HANA (OData meta-data property)2025-05-13
GHSA
GHSA-v2rg-3wmw-65x9: SAP S4CORE OData meta-data property allows an authenticated attacker to access restricted information due to missing authorization check2025-05-13
CVE-2025-43002 — SAP SE SAP S4 Hana vulnerability | cvebase