Lucene search

SapCVELIST:CVE-2023-24526

HistoryMar 14, 2023 - 4:38 a.m.

CVE-2023-24526 Improper Access Control in SAP NetWeaver AS Java (Classload Service)

2023-03-1404:38:03

CWE-306

sap

www.cve.org

cve-2023-24526

sap netweaver

access control

java

privileges escalation

confidentiality

authenticationchecks

data security

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

30.0%

JSON

SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. This failure has a low impact on confidentiality of the data such that an unassigned user can read non-sensitive server data.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "NetWeaver AS Java for Classload Service",
    "vendor": "SAP",
    "versions": [
      {
        "status": "affected",
        "version": "7.50"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/3288394

www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

30.0%

JSON

Related for CVELIST:CVE-2023-24526