CVE-2023-40309

EPSS 0.16%
Published 12.09.2023 03:15:12
Last modified 21.11.2024 08:19:12
Source cna@sap.com
Teams watchlist Login
Open Login

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

SAP ≫ Commoncryptolib Version8.0.0

SAP ≫ Content Server Version6.50

SAP ≫ Content Server Version7.53

SAP ≫ Content Server Version7.54

SAP ≫ Extended Application Services And Runtime Version1.0

SAP ≫ Hana Database Version2.0

SAP ≫ Host Agent Version722

SAP ≫ Netweaver Application Server Abap Version7.22ext

SAP ≫ Netweaver Application Server Abap Versionkernel_7.22

SAP ≫ Netweaver Application Server Abap Versionkernel_7.53

SAP ≫ Netweaver Application Server Abap Versionkernel_7.54

SAP ≫ Netweaver Application Server Abap Versionkernel_7.77

SAP ≫ Netweaver Application Server Abap Versionkernel_7.85

SAP ≫ Netweaver Application Server Abap Versionkernel_7.89

SAP ≫ Netweaver Application Server Abap Versionkernel_7.91

SAP ≫ Netweaver Application Server Abap Versionkernel_7.92

SAP ≫ Netweaver Application Server Abap Versionkernel_7.93

SAP ≫ Netweaver Application Server Abap Versionkernel_8.04

SAP ≫ Netweaver Application Server Abap Versionkernel64nuc_7.22

SAP ≫ Netweaver Application Server Abap Versionkernel64nuc_7.22ext

SAP ≫ Netweaver Application Server Abap Versionkernel64uc_7.22

SAP ≫ Netweaver Application Server Abap Versionkernel64uc_7.22ext

SAP ≫ Netweaver Application Server Abap Versionkernel64uc_7.53

SAP ≫ Netweaver Application Server Abap Versionkernel64uc_8.04

SAP ≫ Netweaver Application Server Java Versionkernel_7.22

SAP ≫ Netweaver Application Server Java Versionkernel_7.53

SAP ≫ Netweaver Application Server Java Versionkernel_7.54

SAP ≫ Netweaver Application Server Java Versionkernel_7.77

SAP ≫ Netweaver Application Server Java Versionkernel_7.85

SAP ≫ Netweaver Application Server Java Versionkernel_7.89

SAP ≫ Netweaver Application Server Java Versionkernel_7.91

SAP ≫ Netweaver Application Server Java Versionkernel_7.92

SAP ≫ Netweaver Application Server Java Versionkernel_7.93

SAP ≫ Netweaver Application Server Java Versionkernel_8.04

SAP ≫ Netweaver Application Server Java Versionkernel64nuc_7.22

SAP ≫ Netweaver Application Server Java Versionkernel64nuc_7.22ext

SAP ≫ Netweaver Application Server Java Versionkernel64uc_7.22

SAP ≫ Netweaver Application Server Java Versionkernel64uc_7.22ext

SAP ≫ Netweaver Application Server Java Versionkernel64uc_7.53

SAP ≫ Netweaver Application Server Java Versionkernel64uc_8.04

SAP ≫ Sapssoext Version17.0

SAP ≫ Web Dispatcher Version7.22ext

SAP ≫ Web Dispatcher Version7.53

SAP ≫ Web Dispatcher Version7.54

SAP ≫ Web Dispatcher Version7.77

SAP ≫ Web Dispatcher Version7.85

SAP ≫ Web Dispatcher Version7.89

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.16%	0.38

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cna@sap.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Vendor Advisory

https://me.sap.com/notes/3340576

Vendor Advisory

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2023-40309

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-40309

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-40309

EUVD