Description
SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected products
- SAP_SE / SAP Commerce CloudHY_COM 2205 – HY_COM 2205
- SAP_SE / SAP Commerce CloudCOM_CLOUD 2211 – COM_CLOUD 2211
- SAP_SE / SAP Commerce Cloud2211-JDK21 – 2211-JDK21