CVE-2024-33005 Vulnerability Analysis & Exploit Details

CVE-2024-33005 Vulnerability Summary

CVE-2024-33005: Due to the missing authorization checks in the local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application Server (ABAP and Java), and SAP Content Server can impersonate other users and may perform some unintended actions. This could lead to a low impact on confidentiality and a high impact on the integrity and availability of the applications.

Exploit Prediction Scoring System (EPSS)

The EPSS score estimates the probability that this vulnerability will be exploited in the near future.

EPSS Score: 0.043% (probability of exploit)

EPSS Percentile: 12.0% (lower percentile = lower relative risk)
This vulnerability is less risky than approximately 88.0% of others.

CVE-2024-33005 References

External References

• https://me.sap.com/notes/3438085
• https://url.sap/sapsecuritypatchday

CWE Common Weakness Enumeration

CAPEC Common Attack Pattern Enumeration and Classification

• Exploitation of Thunderbolt Protection Flaws CAPEC-665 An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.

Vulnerable Configurations

• cpe:2.3:a:sap:netweaver_abap:kernel_7.22:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_abap:kernel_7.22:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_abap:kernel_7.53:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_abap:kernel_7.53:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_abap:kernel_7.54:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_abap:kernel_7.54:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_abap:kernel_7.77:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_abap:kernel_7.77:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_abap:kernel_7.85:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_abap:kernel_7.85:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_abap:kernel_7.89:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_abap:kernel_7.89:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_abap:kernel_7.93:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_abap:kernel_7.93:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_abap:krnl64nuc_7.22:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_abap:krnl64nuc_7.22:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_abap:krnl64nuc_7.22ext:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_abap:krnl64nuc_7.22ext:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_abap:krnl64uc_7.22:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_abap:krnl64uc_7.22:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_abap:krnl64uc_7.22ext:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_abap:krnl64uc_7.22ext:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_abap:krnl64uc_7.53:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_abap:krnl64uc_7.53:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_java:kernel_7.22:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_java:kernel_7.22:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_java:kernel_7.53:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_java:kernel_7.53:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_java:kernel_7.54:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_java:kernel_7.54:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_java:kernel_7.77:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_java:kernel_7.77:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_java:kernel_7.85:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_java:kernel_7.85:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_java:kernel_7.89:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_java:kernel_7.89:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_java:kernel_7.93:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_java:kernel_7.93:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_java:krnl64nuc_7.22:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_java:krnl64nuc_7.22:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_java:krnl64nuc_7.22ext:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_java:krnl64nuc_7.22ext:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_java:krnl64uc_7.22:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_java:krnl64uc_7.22:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_java:krnl64uc_7.22ext:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_java:krnl64uc_7.22ext:*:*:*:*:*:*:*
• cpe:2.3:a:sap:netweaver_java:krnl64uc_7.53:*:*:*:*:*:*:*
  cpe:2.3:a:sap:netweaver_java:krnl64uc_7.53:*:*:*:*:*:*:*
• cpe:2.3:a:sap:content_server:kernel_7.22:*:*:*:*:*:*:*
  cpe:2.3:a:sap:content_server:kernel_7.22:*:*:*:*:*:*:*
• cpe:2.3:a:sap:content_server:kernel_7.53:*:*:*:*:*:*:*
  cpe:2.3:a:sap:content_server:kernel_7.53:*:*:*:*:*:*:*
• cpe:2.3:a:sap:content_server:kernel_7.54:*:*:*:*:*:*:*
  cpe:2.3:a:sap:content_server:kernel_7.54:*:*:*:*:*:*:*
• cpe:2.3:a:sap:content_server:kernel_7.77:*:*:*:*:*:*:*
  cpe:2.3:a:sap:content_server:kernel_7.77:*:*:*:*:*:*:*
• cpe:2.3:a:sap:content_server:kernel_7.85:*:*:*:*:*:*:*
  cpe:2.3:a:sap:content_server:kernel_7.85:*:*:*:*:*:*:*
• cpe:2.3:a:sap:content_server:kernel_7.89:*:*:*:*:*:*:*
  cpe:2.3:a:sap:content_server:kernel_7.89:*:*:*:*:*:*:*
• cpe:2.3:a:sap:content_server:kernel_7.93:*:*:*:*:*:*:*
  cpe:2.3:a:sap:content_server:kernel_7.93:*:*:*:*:*:*:*
• cpe:2.3:a:sap:content_server:krnl64nuc_7.22:*:*:*:*:*:*:*
  cpe:2.3:a:sap:content_server:krnl64nuc_7.22:*:*:*:*:*:*:*
• cpe:2.3:a:sap:content_server:krnl64nuc_7.22ext:*:*:*:*:*:*:*
  cpe:2.3:a:sap:content_server:krnl64nuc_7.22ext:*:*:*:*:*:*:*
• cpe:2.3:a:sap:content_server:krnl64uc_7.22:*:*:*:*:*:*:*
  cpe:2.3:a:sap:content_server:krnl64uc_7.22:*:*:*:*:*:*:*
• cpe:2.3:a:sap:content_server:krnl64uc_7.22ext:*:*:*:*:*:*:*
  cpe:2.3:a:sap:content_server:krnl64uc_7.22ext:*:*:*:*:*:*:*
• cpe:2.3:a:sap:content_server:krnl64uc_7.53:*:*:*:*:*:*:*
  cpe:2.3:a:sap:content_server:krnl64uc_7.53:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:kernel_7.22:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:kernel_7.22:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:kernel_7.53:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:kernel_7.53:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:kernel_7.54:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:kernel_7.54:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:kernel_7.77:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:kernel_7.77:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:kernel_7.85:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:kernel_7.85:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:kernel_7.89:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:kernel_7.89:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:kernel_7.93:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:kernel_7.93:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:krnl64nuc_7.22:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:krnl64nuc_7.22:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:krnl64nuc_7.22ext:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:krnl64nuc_7.22ext:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:krnl64uc_7.22:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:krnl64uc_7.22:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:krnl64uc_7.22ext:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:krnl64uc_7.22ext:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:krnl64uc_7.53:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:krnl64uc_7.53:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:webdisp_7.22_ext:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:webdisp_7.22_ext:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:webdisp_7.53:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:webdisp_7.53:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:webdisp_7.54:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:webdisp_7.54:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:webdisp_7.77:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:webdisp_7.77:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:webdisp_7.85:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:webdisp_7.85:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:webdisp_7.89:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:webdisp_7.89:*:*:*:*:*:*:*
• cpe:2.3:a:sap:web_dispatcher:webdisp_7.93:*:*:*:*:*:*:*
  cpe:2.3:a:sap:web_dispatcher:webdisp_7.93:*:*:*:*:*:*:*

Other 5 Recently Published CVEs Vulnerabilities

• CVE-2025-4432 – A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an atta...
• CVE-2025-46193 – SourceCodester Client Database Management System 1.0 is vulnerable to Remote code execution via Arbitrary file upload in user_proposal_update_order.php.
• CVE-2025-46189 – SourceCodester Client Database Management System 1.0 is vulnerable to SQL Injection in user_order_customer_update.php via the order_id POST parameter.
• CVE-2025-46188 – SourceCodester Client Database Management System 1.0 is vulnerable to SQL Injection in superadmin_phpmyadmin.php.
• CVE-2025-45513 – Tenda FH451 V1.0.0.9 has a stack overflow vulnerability in the function.P2pListFilter.