CVE-2023-37486

Name of the Vulnerable Software and Affected Versions SAP Commerce Cloud versions HY COM 2105, HY COM 2205, COM CLOUD 2211 SAP Hybris Commerce versions HY COM 2105, HY COM 2205

Description The issue is related to the implementation of the Omni Commerce Connect (OCC) API in SAP Commerce Cloud and SAP Hybris Commerce, which lacks sufficient protection of service data. This can allow a remote attacker to impact the confidentiality of protected information. Under certain conditions, the OCC API endpoints may permit an attacker to access restricted information, potentially resulting in a high impact on confidentiality without affecting the integrity and availability of the application.

Recommendations For versions HY COM 2105, HY COM 2205, and COM CLOUD 2211, consider restricting access to the OCC API endpoints to minimize the risk of exploitation. As a temporary workaround, consider disabling the OCC API until a patch is available. Restrict access to sensitive information to minimize the risk of confidentiality breaches.