CVE-2023-40309

Опубликовано: 12 сент. 2023

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.

Ссылки

https://me.sap.com/notes/3340576
Permissions Required
Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Vendor Advisory
https://me.sap.com/notes/3340576
Permissions Required
Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:sap:commoncryptolib:8.0.0:*:*:*:*:*:*:*

cpe:2.3:a:sap:content_server:6.50:*:*:*:*:*:*:*

cpe:2.3:a:sap:content_server:7.53:*:*:*:*:*:*:*

cpe:2.3:a:sap:content_server:7.54:*:*:*:*:*:*:*

cpe:2.3:a:sap:extended_application_services_and_runtime:1.0:*:*:*:*:*:*:*

cpe:2.3:a:sap:hana_database:2.0:*:*:*:*:*:*:*

cpe:2.3:a:sap:host_agent:722:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_abap:7.22ext:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.22:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.53:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.54:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.77:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.85:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.89:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.91:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.92:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.93:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_abap:kernel_8.04:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22ext:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22ext:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.53:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_8.04:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.22:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.53:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.54:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.77:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.85:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.89:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.91:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.92:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.93:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_java:kernel_8.04:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22ext:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22ext:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.53:*:*:*:*:*:*:*

cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_8.04:*:*:*:*:*:*:*

cpe:2.3:a:sap:sapssoext:17.0:*:*:*:*:*:*:*

cpe:2.3:a:sap:web_dispatcher:7.22ext:*:*:*:*:*:*:*

cpe:2.3:a:sap:web_dispatcher:7.53:*:*:*:*:*:*:*

cpe:2.3:a:sap:web_dispatcher:7.54:*:*:*:*:*:*:*

cpe:2.3:a:sap:web_dispatcher:7.77:*:*:*:*:*:*:*

cpe:2.3:a:sap:web_dispatcher:7.85:*:*:*:*:*:*:*

cpe:2.3:a:sap:web_dispatcher:7.89:*:*:*:*:*:*:*

EPSS

Процентиль: 37%

0.00162

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-863

Связанные уязвимости

GHSA-42qx-rv8j-r8f3

CVSS3: 9.8

github

больше 2 лет назад

BDU:2023-07391

CVSS3: 9.8

fstec

больше 2 лет назад

Уязвимость библиотеки SAP CommonCryptoLib, связанная с недостатками процедуры авторизации, позволяющая нарушителю читать, изменять или удалять данные с ограниченным доступом

EPSS

Процентиль: 37%

0.00162

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-863