Lucene search

[email protected]CVE-2023-40309

HistorySep 12, 2023 - 3:15 a.m.

CVE-2023-40309

2023-09-1203:15:12

CWE-862

[email protected]

web.nvd.nist.gov

sap

commoncryptolib

authentication

vulnerability

privilege escalation

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

38.5%

JSON

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.

CPENameOperatorVersion
sap:commoncryptolibsap commoncryptolibeq8.0.0
sap:content_serversap content servereq6.50
sap:content_serversap content servereq7.53
sap:content_serversap content servereq7.54
sap:extended_application_services_and_runtimesap extended application services and runtimeeq1.0
sap:hana_databasesap hana databaseeq2.0
sap:host_agentsap host agenteq722
sap:netweaver_application_server_abapsap netweaver application server abapeq7.22ext
sap:netweaver_application_server_abapsap netweaver application server abapeqkernel_7.22
sap:netweaver_application_server_abapsap netweaver application server abapeqkernel_7.53

CPE	Name	Operator	Version
sap:commoncryptolib	sap commoncryptolib	eq	8.0.0
sap:content_server	sap content server	eq	6.50
sap:content_server	sap content server	eq	7.53
sap:content_server	sap content server	eq	7.54
sap:extended_application_services_and_runtime	sap extended application services and runtime	eq	1.0
sap:hana_database	sap hana database	eq	2.0
sap:host_agent	sap host agent	eq	722
sap:netweaver_application_server_abap	sap netweaver application server abap	eq	7.22ext
sap:netweaver_application_server_abap	sap netweaver application server abap	eq	kernel_7.22
sap:netweaver_application_server_abap	sap netweaver application server abap	eq	kernel_7.53

Rows per page:

1-10 of 471

References

me.sap.com/notes/3340576

www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

38.5%

JSON

Related for CVE-2023-40309

prion1