cnvd - cnvd-2023-65175

CNVD-2023-65175

Vulnerability from cnvd - Published: 2023-08-23

Title

SAP Supplier Relationship Management信息泄露漏洞

Description

SAP Supplier Relationship Management（SRM）是德国思爱普（SAP）公司的一套供应商关系管理解决方案。该产品实现了企业内以及供应商之间采购和购置流程的自动化，并提供发票开具等功能。 SAP Supplier Relationship Management 600、602、603、604、605、606、616、617版本存在信息泄露漏洞，未经授权的攻击者可利用该漏洞在业务合作伙伴的供应商主数据复制功能中发现与SRM相关的信息。

Severity

中

Patch Name

SAP Supplier Relationship Management信息泄露漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Reference

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html https://me.sap.com/notes/2067220 https://cxsecurity.com/cveshow/CVE-2023-39436/

Impacted products

Name
['SAP supplier relationship management 600', 'SAP supplier relationship management 602', 'SAP supplier relationship management 603', 'SAP supplier relationship management 604', 'SAP supplier relationship management 605', 'SAP supplier relationship management 606', 'SAP supplier relationship management 616', 'SAP supplier relationship management 617']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-39436",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-39436"
    }
  },
  "description": "SAP Supplier Relationship Management\uff08SRM\uff09\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u4f9b\u5e94\u5546\u5173\u7cfb\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u5b9e\u73b0\u4e86\u4f01\u4e1a\u5185\u4ee5\u53ca\u4f9b\u5e94\u5546\u4e4b\u95f4\u91c7\u8d2d\u548c\u8d2d\u7f6e\u6d41\u7a0b\u7684\u81ea\u52a8\u5316\uff0c\u5e76\u63d0\u4f9b\u53d1\u7968\u5f00\u5177\u7b49\u529f\u80fd\u3002\n\nSAP Supplier Relationship Management 600\u3001602\u3001603\u3001604\u3001605\u3001606\u3001616\u3001617\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u672a\u7ecf\u6388\u6743\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u4e1a\u52a1\u5408\u4f5c\u4f19\u4f34\u7684\u4f9b\u5e94\u5546\u4e3b\u6570\u636e\u590d\u5236\u529f\u80fd\u4e2d\u53d1\u73b0\u4e0eSRM\u76f8\u5173\u7684\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-65175",
  "openTime": "2023-08-23",
  "patchDescription": "SAP Supplier Relationship Management\uff08SRM\uff09\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u4f9b\u5e94\u5546\u5173\u7cfb\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u5b9e\u73b0\u4e86\u4f01\u4e1a\u5185\u4ee5\u53ca\u4f9b\u5e94\u5546\u4e4b\u95f4\u91c7\u8d2d\u548c\u8d2d\u7f6e\u6d41\u7a0b\u7684\u81ea\u52a8\u5316\uff0c\u5e76\u63d0\u4f9b\u53d1\u7968\u5f00\u5177\u7b49\u529f\u80fd\u3002\r\n\r\nSAP Supplier Relationship Management 600\u3001602\u3001603\u3001604\u3001605\u3001606\u3001616\u3001617\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u672a\u7ecf\u6388\u6743\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u4e1a\u52a1\u5408\u4f5c\u4f19\u4f34\u7684\u4f9b\u5e94\u5546\u4e3b\u6570\u636e\u590d\u5236\u529f\u80fd\u4e2d\u53d1\u73b0\u4e0eSRM\u76f8\u5173\u7684\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP Supplier Relationship Management\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "SAP supplier relationship management 600",
      "SAP supplier relationship management 602",
      "SAP supplier relationship management 603",
      "SAP supplier relationship management 604",
      "SAP supplier relationship management 605",
      "SAP supplier relationship management 606",
      "SAP supplier relationship management 616",
      "SAP supplier relationship management 617"
    ]
  },
  "referenceLink": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\r\nhttps://me.sap.com/notes/2067220\r\nhttps://cxsecurity.com/cveshow/CVE-2023-39436/",
  "serverity": "\u4e2d",
  "submitTime": "2023-08-11",
  "title": "SAP Supplier Relationship Management\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2023-39436 (GCVE-0-2023-39436)

Vulnerability from cvelistv5 – Published: 2023-08-08 00:48 – Updated: 2024-10-15 20:13

Summary

SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against SRM.

Severity ?

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CWE

CWE-306 - Missing Authentication for Critical Function

Assigner

sap

References

URL

Tags

	https://me.sap.com/notes/2067220
	https://www.sap.com/documents/2022/02/fa865ea4-16…

Impacted products

	Vendor	Product	Version
	SAP_SE	SAP Supplier Relationship Management	Affected: 600 Affected: 602 Affected: 603 Affected: 604 Affected: 605 Affected: 606 Affected: 616 Affected: 617

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:10:20.665Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://me.sap.com/notes/2067220"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-39436",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-15T20:13:08.498052Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-15T20:13:19.519Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP Supplier Relationship Management",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "600"
            },
            {
              "status": "affected",
              "version": "602"
            },
            {
              "status": "affected",
              "version": "603"
            },
            {
              "status": "affected",
              "version": "604"
            },
            {
              "status": "affected",
              "version": "605"
            },
            {
              "status": "affected",
              "version": "606"
            },
            {
              "status": "affected",
              "version": "616"
            },
            {
              "status": "affected",
              "version": "617"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to\u00a0SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against\u00a0SRM.\u003c/p\u003e"
            }
          ],
          "value": "SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to\u00a0SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against\u00a0SRM."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-28T22:07:01.413Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://me.sap.com/notes/2067220"
        },
        {
          "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Information Disclosure in SAP Supplier Relationship Management",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2023-39436",
    "datePublished": "2023-08-08T00:48:18.892Z",
    "dateReserved": "2023-08-01T21:49:02.687Z",
    "dateUpdated": "2024-10-15T20:13:19.519Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2023-65175

CVE-2023-39436 (GCVE-0-2023-39436)

Tags

Sightings

Nomenclature