CVE-2024-45277 – The SAP HANA Node.js client package versions 2.... (How to Fix)

Q: What is the severity of CVE-2024-45277?

CVE-2024-45277 has a CVSS score of 4.3 (MEDIUM). The SAP HANA Node.js client package versions 2.0.0 through 2.21.30 are vulnerable to prototype pollution when using the nestTables feature. This allows attackers to add arbitrary properties to global object prototypes, potentially causing application instability. Organizations using affected versions of the SAP HANA Node.js client are impacted.

📋 TL;DR

The SAP HANA Node.js client package versions 2.0.0 through 2.21.30 are vulnerable to prototype pollution when using the nestTables feature. This allows attackers to add arbitrary properties to global object prototypes, potentially causing application instability. Organizations using affected versions of the SAP HANA Node.js client are impacted.

💻 Affected Systems

Products:

SAP HANA Node.js client package (@sap/hana-client)

Versions: 2.0.0 through 2.21.30

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using the nestTables feature with unsanitized user input.

📦 What is this software?

Hana Client by Sap

View all CVEs affecting Hana Client →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crashes or denial of service due to prototype pollution corrupting global objects, leading to system instability.

🟠

Likely Case

Low availability impact with potential application errors or crashes when malicious input is processed through nestTables.

🟢

If Mitigated

Minimal impact if proper input validation and sanitization are implemented, or if nestTables feature is disabled.

🌐 Internet-Facing: LOW - Requires specific API endpoints using nestTables feature with user-controlled input.

🏢 Internal Only: LOW - Same requirements as internet-facing; limited to applications using vulnerable feature.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to API endpoints using nestTables feature with user-controlled input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.21.31 and later

Vendor Advisory: https://me.sap.com/notes/3520100

Restart Required: Yes

Instructions:

1. Update @sap/hana-client package to version 2.21.31 or later using npm update @sap/hana-client. 2. Restart all Node.js applications using the updated package. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable nestTables feature

all

Avoid using the nestTables option in HANA client queries if not required.

Modify application code to remove or avoid nestTables: true parameter in database queries

Input validation

all

Implement strict input validation and sanitization for all user inputs passed to database queries.

Implement input validation middleware before processing database queries

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs
Disable or avoid using the nestTables feature in application code

🔍 How to Verify

Check if Vulnerable:

Check package.json for @sap/hana-client version between 2.0.0 and 2.21.30

Check Version:

npm list @sap/hana-client

Verify Fix Applied:

Verify @sap/hana-client version is 2.21.31 or higher in package.json and node_modules

📡 Detection & Monitoring

Log Indicators:

Application errors related to prototype pollution
Unexpected application crashes when processing database queries
Error logs mentioning nestTables or HANA client

Network Indicators:

Unusual database query patterns with nestTables parameter
Increased error responses from API endpoints using HANA client

SIEM Query:

source="application.log" AND ("prototype pollution" OR "nestTables" OR "@sap/hana-client") AND severity=ERROR

📊 Metadata

CVE ID: CVE-2024-45277

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-1321

Published: October 8, 2024

Last Updated: November 14, 2024

🔗 References

https://me.sap.com/notes/3520100 Permissions Required
https://url.sap/sapsecuritypatchday Vendor Advisory
https://www.npmjs.com/package/@sap/hana-client?activeTab=code Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45277, you might also want to check these: