6.5

CVE-2023-33992

EPSS 0.09%
Published 11.07.2023 03:15:09
Last modified 21.11.2024 08:06:22
Source cna@sap.com
Teams watchlist Login
Open Login

The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

SAP ≫ Business Warehouse Version730

SAP ≫ Business Warehouse Version731

SAP ≫ Business Warehouse Version740

SAP ≫ Business Warehouse Version750

SAP ≫ Bw/4hana Version100

SAP ≫ Bw/4hana Version200

SAP ≫ Bw/4hana Version300

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.09%	0.265

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cna@sap.com	4.5	0.9	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Vendor Advisory

https://me.sap.com/notes/3088078

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2023-33992

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-33992

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-33992

EUVD