cvelistv5 - cve-2023-0017

CVE-2023-0017 (GCVE-0-2023-0017)

Vulnerability from cvelistv5 – Published: 2023-01-10 03:18 – Updated: 2025-04-09 13:54

Summary

An unauthenticated attacker in SAP NetWeaver AS for Java - version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable.

Severity ?

9.4 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CWE

CWE-284 - Improper access control

Assigner

sap

References

URL

Tags

	https://launchpad.support.sap.com/#/notes/3268093
	https://www.sap.com/documents/2022/02/fa865ea4-16…

Impacted products

	Vendor	Product	Version
	SAP	NetWeaver AS for Java	Affected: 7.50

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:54:32.802Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://launchpad.support.sap.com/#/notes/3268093"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-0017",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-09T13:53:19.759007Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-09T13:54:09.602Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "NetWeaver AS for Java",
          "vendor": "SAP",
          "versions": [
            {
              "status": "affected",
              "version": "7.50"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An unauthenticated attacker in SAP NetWeaver AS for Java - version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable."
            }
          ],
          "value": "An unauthenticated attacker in SAP NetWeaver AS for Java - version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper access control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-10T03:18:57.927Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://launchpad.support.sap.com/#/notes/3268093"
        },
        {
          "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Improper access control in SAP NetWeaver AS for Java",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2023-0017",
    "datePublished": "2023-01-10T03:18:57.927Z",
    "dateReserved": "2022-12-20T03:49:32.991Z",
    "dateUpdated": "2025-04-09T13:54:09.602Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_for_java:7.50:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D7A80232-F2C2-4B40-A00C-25611D3409AC\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An unauthenticated attacker in SAP NetWeaver AS for Java - version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable.\"}, {\"lang\": \"es\", \"value\": \"Un atacante no autenticado en SAP NetWeaver AS para Java - versi\\u00f3n 7.50, debido a un control de acceso inadecuado, puede conectarse a una interfaz abierta y hacer uso de una API abierta de nombres y directorios para acceder a servicios que pueden usarse para realizar operaciones no autorizadas que afectan a los usuarios y los datos. sobre el sistema actual. Esto podr\\u00eda permitir al atacante tener acceso de lectura completo a los datos del usuario, realizar modificaciones en los datos del usuario y hacer que los servicios dentro del sistema no est\\u00e9n disponibles.\"}]",
      "id": "CVE-2023-0017",
      "lastModified": "2024-11-21T07:36:24.103",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cna@sap.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\", \"baseScore\": 9.4, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.5}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2023-01-10T04:15:09.887",
      "references": "[{\"url\": \"https://launchpad.support.sap.com/#/notes/3268093\", \"source\": \"cna@sap.com\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"source\": \"cna@sap.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://launchpad.support.sap.com/#/notes/3268093\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cna@sap.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cna@sap.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-0017\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2023-01-10T04:15:09.887\",\"lastModified\":\"2024-11-21T07:36:24.103\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An unauthenticated attacker in SAP NetWeaver AS for Java - version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable.\"},{\"lang\":\"es\",\"value\":\"Un atacante no autenticado en SAP NetWeaver AS para Java - versi\u00f3n 7.50, debido a un control de acceso inadecuado, puede conectarse a una interfaz abierta y hacer uso de una API abierta de nombres y directorios para acceder a servicios que pueden usarse para realizar operaciones no autorizadas que afectan a los usuarios y los datos. sobre el sistema actual. Esto podr\u00eda permitir al atacante tener acceso de lectura completo a los datos del usuario, realizar modificaciones en los datos del usuario y hacer que los servicios dentro del sistema no est\u00e9n disponibles.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":5.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_for_java:7.50:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D7A80232-F2C2-4B40-A00C-25611D3409AC\"}]}]}],\"references\":[{\"url\":\"https://launchpad.support.sap.com/#/notes/3268093\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://launchpad.support.sap.com/#/notes/3268093\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://launchpad.support.sap.com/#/notes/3268093\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T04:54:32.802Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-0017\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-09T13:53:19.759007Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-09T13:54:00.595Z\"}}], \"cna\": {\"title\": \"Improper access control in SAP NetWeaver AS for Java\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SAP\", \"product\": \"NetWeaver AS for Java\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.50\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://launchpad.support.sap.com/#/notes/3268093\"}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An unauthenticated attacker in SAP NetWeaver AS for Java - version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An unauthenticated attacker in SAP NetWeaver AS for Java - version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284 Improper access control\"}]}], \"providerMetadata\": {\"orgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"shortName\": \"sap\", \"dateUpdated\": \"2023-01-10T03:18:57.927Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-0017\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-09T13:54:09.602Z\", \"dateReserved\": \"2022-12-20T03:49:32.991Z\", \"assignerOrgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"datePublished\": \"2023-01-10T03:18:57.927Z\", \"assignerShortName\": \"sap\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2023-AVI-0019

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	SAP BusinessObjects Business Intelligence	SAP BusinessObjects Business Intelligence Platform (Central management console) versions 420 et 430
SAP	N/A	SAP NetWeaver AS for Java version 7.50
SAP	N/A	SAP NetWeaver Process Integration version 7.50
SAP	N/A	SAP NetWeaver ABAP Server et ABAP Platform versions SAP_BASIS 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22 et 7.22EXT
SAP	N/A	SAP NetWeaver AS pour ABAP et ABAP Platform versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756 et 757
SAP	SAP BusinessObjects Business Intelligence	SAP BusinessObjects Business Intelligence platform (Analysis edition pour OLAP) versions 420 et 430
SAP	N/A	SAP BPC MS 10.0 versions 800 et 810
SAP	N/A	SAP Bank Account Management (Manage Banks) versions 800 et 900
SAP	SAP BusinessObjects Business Intelligence	SAP BusinessObjects Business Intelligence Platform (Central Management Console et BI Launchpad) versions 4.2 et 4.3
SAP	N/A	SAP Host Agent (Windows) versions 7.21 et 7.22
SAP	SAP BusinessObjects Business Intelligence	SAP BusinessObjects Business Intelligence Platform version 420

References

Title

Publication Time

Tags

Bulletin de sécurité SAP du 10 janvier 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP BusinessObjects Business Intelligence Platform (Central management console) versions 420 et 430",
      "product": {
        "name": "SAP BusinessObjects Business Intelligence",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS for Java version 7.50",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver Process Integration version 7.50",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver ABAP Server et ABAP Platform versions SAP_BASIS 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22 et 7.22EXT",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS pour ABAP et ABAP Platform versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756 et 757",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP BusinessObjects Business Intelligence platform (Analysis edition pour OLAP) versions 420 et 430",
      "product": {
        "name": "SAP BusinessObjects Business Intelligence",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP BPC MS 10.0 versions 800 et 810",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Bank Account Management (Manage Banks) versions 800 et 900",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP BusinessObjects Business Intelligence Platform (Central Management Console et BI Launchpad) versions 4.2 et 4.3",
      "product": {
        "name": "SAP BusinessObjects Business Intelligence",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Host Agent (Windows) versions 7.21 et 7.22",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP BusinessObjects Business Intelligence Platform version 420",
      "product": {
        "name": "SAP BusinessObjects Business Intelligence",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-41203",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41203"
    },
    {
      "name": "CVE-2023-0015",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0015"
    },
    {
      "name": "CVE-2023-0022",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0022"
    },
    {
      "name": "CVE-2022-41272",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41272"
    },
    {
      "name": "CVE-2022-41271",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41271"
    },
    {
      "name": "CVE-2023-0014",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0014"
    },
    {
      "name": "CVE-2023-0023",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0023"
    },
    {
      "name": "CVE-2023-0012",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0012"
    },
    {
      "name": "CVE-2023-0018",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0018"
    },
    {
      "name": "CVE-2023-0017",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0017"
    },
    {
      "name": "CVE-2023-0016",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0016"
    },
    {
      "name": "CVE-2023-0013",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0013"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0019",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-01-11T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un contournement de la\npolitique de s\u00e9curit\u00e9 et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP du 10 janvier 2023",
      "url": "https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a\u0026rc=1"
    }
  ]
}

CERTFR-2023-AVI-0019

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	SAP BusinessObjects Business Intelligence	SAP BusinessObjects Business Intelligence Platform (Central management console) versions 420 et 430
SAP	N/A	SAP NetWeaver AS for Java version 7.50
SAP	N/A	SAP NetWeaver Process Integration version 7.50
SAP	N/A	SAP NetWeaver ABAP Server et ABAP Platform versions SAP_BASIS 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22 et 7.22EXT
SAP	N/A	SAP NetWeaver AS pour ABAP et ABAP Platform versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756 et 757
SAP	SAP BusinessObjects Business Intelligence	SAP BusinessObjects Business Intelligence platform (Analysis edition pour OLAP) versions 420 et 430
SAP	N/A	SAP BPC MS 10.0 versions 800 et 810
SAP	N/A	SAP Bank Account Management (Manage Banks) versions 800 et 900
SAP	SAP BusinessObjects Business Intelligence	SAP BusinessObjects Business Intelligence Platform (Central Management Console et BI Launchpad) versions 4.2 et 4.3
SAP	N/A	SAP Host Agent (Windows) versions 7.21 et 7.22
SAP	SAP BusinessObjects Business Intelligence	SAP BusinessObjects Business Intelligence Platform version 420

References

Title

Publication Time

Tags

Bulletin de sécurité SAP du 10 janvier 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP BusinessObjects Business Intelligence Platform (Central management console) versions 420 et 430",
      "product": {
        "name": "SAP BusinessObjects Business Intelligence",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS for Java version 7.50",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver Process Integration version 7.50",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver ABAP Server et ABAP Platform versions SAP_BASIS 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22 et 7.22EXT",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS pour ABAP et ABAP Platform versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756 et 757",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP BusinessObjects Business Intelligence platform (Analysis edition pour OLAP) versions 420 et 430",
      "product": {
        "name": "SAP BusinessObjects Business Intelligence",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP BPC MS 10.0 versions 800 et 810",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Bank Account Management (Manage Banks) versions 800 et 900",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP BusinessObjects Business Intelligence Platform (Central Management Console et BI Launchpad) versions 4.2 et 4.3",
      "product": {
        "name": "SAP BusinessObjects Business Intelligence",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Host Agent (Windows) versions 7.21 et 7.22",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP BusinessObjects Business Intelligence Platform version 420",
      "product": {
        "name": "SAP BusinessObjects Business Intelligence",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-41203",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41203"
    },
    {
      "name": "CVE-2023-0015",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0015"
    },
    {
      "name": "CVE-2023-0022",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0022"
    },
    {
      "name": "CVE-2022-41272",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41272"
    },
    {
      "name": "CVE-2022-41271",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41271"
    },
    {
      "name": "CVE-2023-0014",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0014"
    },
    {
      "name": "CVE-2023-0023",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0023"
    },
    {
      "name": "CVE-2023-0012",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0012"
    },
    {
      "name": "CVE-2023-0018",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0018"
    },
    {
      "name": "CVE-2023-0017",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0017"
    },
    {
      "name": "CVE-2023-0016",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0016"
    },
    {
      "name": "CVE-2023-0013",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0013"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0019",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-01-11T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un contournement de la\npolitique de s\u00e9curit\u00e9 et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP du 10 janvier 2023",
      "url": "https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a\u0026rc=1"
    }
  ]
}

FKIE_CVE-2023-0017

Vulnerability from fkie_nvd - Published: 2023-01-10 04:15 - Updated: 2024-11-21 07:36

Severity ?

9.4 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cna@sap.com	https://launchpad.support.sap.com/#/notes/3268093	Permissions Required, Vendor Advisory
cna@sap.com	https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://launchpad.support.sap.com/#/notes/3268093	Permissions Required, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Impacted products

	Vendor	Product	Version
	sap	netweaver_application_server_for_java	7.50

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_for_java:7.50:*:*:*:*:*:*:*",
              "matchCriteriaId": "D7A80232-F2C2-4B40-A00C-25611D3409AC",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An unauthenticated attacker in SAP NetWeaver AS for Java - version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable."
    },
    {
      "lang": "es",
      "value": "Un atacante no autenticado en SAP NetWeaver AS para Java - versi\u00f3n 7.50, debido a un control de acceso inadecuado, puede conectarse a una interfaz abierta y hacer uso de una API abierta de nombres y directorios para acceder a servicios que pueden usarse para realizar operaciones no autorizadas que afectan a los usuarios y los datos. sobre el sistema actual. Esto podr\u00eda permitir al atacante tener acceso de lectura completo a los datos del usuario, realizar modificaciones en los datos del usuario y hacer que los servicios dentro del sistema no est\u00e9n disponibles."
    }
  ],
  "id": "CVE-2023-0017",
  "lastModified": "2024-11-21T07:36:24.103",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 9.4,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.5,
        "source": "cna@sap.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-01-10T04:15:09.887",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3268093"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3268093"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "cna@sap.com",
      "type": "Primary"
    }
  ]
}

GSD-2023-0017

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-0017

Aliases

CVE-2023-0017

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-0017",
    "id": "GSD-2023-0017"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-0017"
      ],
      "details": "An unauthenticated attacker in SAP NetWeaver AS for Java - version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable.",
      "id": "GSD-2023-0017",
      "modified": "2023-12-13T01:20:23.137073Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@sap.com",
        "ID": "CVE-2023-0017",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "NetWeaver AS for Java",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "7.50"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "SAP"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An unauthenticated attacker in SAP NetWeaver AS for Java - version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-284",
                "lang": "eng",
                "value": "CWE-284 Improper access control"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
            "refsource": "MISC",
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          },
          {
            "name": "https://launchpad.support.sap.com/#/notes/3268093",
            "refsource": "MISC",
            "url": "https://launchpad.support.sap.com/#/notes/3268093"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_for_java:7.50:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2023-0017"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An unauthenticated attacker in SAP NetWeaver AS for Java - version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-284"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://launchpad.support.sap.com/#/notes/3268093",
              "refsource": "MISC",
              "tags": [
                "Permissions Required",
                "Vendor Advisory"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3268093"
            },
            {
              "name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-01-13T18:18Z",
      "publishedDate": "2023-01-10T04:15Z"
    }
  }
}

WID-SEC-W-2023-0040

Vulnerability from csaf_certbund - Published: 2023-01-09 23:00 - Updated: 2023-01-09 23:00

Summary

SAP Patchday Januar 2023

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

SAP stellt unternehmensweite Lösungen für Geschäftsprozesse wie Buchführung, Vertrieb, Einkauf und Lagerhaltung zur Verfügung.

Angriff

Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in SAP Software ausnutzen, um seine Privilegien zu erhöhen, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuführen und Daten zu manipulieren.

Betroffene Betriebssysteme

- UNIX - Linux - MacOS X - Windows - Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "SAP stellt unternehmensweite L\u00f6sungen f\u00fcr Gesch\u00e4ftsprozesse wie Buchf\u00fchrung, Vertrieb, Einkauf und Lagerhaltung zur Verf\u00fcgung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in SAP Software ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Daten zu manipulieren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- MacOS X\n- Windows\n- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-0040 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0040.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-0040 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0040"
      },
      {
        "category": "external",
        "summary": "SAP Patchday Januar 2023 vom 2023-01-09",
        "url": "https://www.sap.com/docs/download/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.pdf"
      }
    ],
    "source_lang": "en-US",
    "title": "SAP Patchday Januar 2023",
    "tracking": {
      "current_release_date": "2023-01-09T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:40:56.179+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-0040",
      "initial_release_date": "2023-01-09T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-01-09T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SAP Software",
            "product": {
              "name": "SAP Software",
              "product_id": "T016476",
              "product_identification_helper": {
                "cpe": "cpe:/a:sap:sap:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SAP"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-0023",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in SAP Software. Der Fehler ist noch nicht im Detail beschrieben und besteht in der Komponente Bank Account Management (Manage Banks). Ein entfernter, authentisierter Angreifer mit bestimmten Privilegien kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-01-09T23:00:00.000+00:00",
      "title": "CVE-2023-0023"
    },
    {
      "cve": "CVE-2023-0022",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in SAP Software. Der Fehler ist noch nicht im Detail beschrieben und besteht in der Komponente BusinessObjects Business Intelligence-Plattform (Analysis Edition for OLAP). Ein entfernter, authentisierter Angreifer kann diese Schwachstelle zur Ausf\u00fchrung von beliebigem Code ausnutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-01-09T23:00:00.000+00:00",
      "title": "CVE-2023-0022"
    },
    {
      "cve": "CVE-2023-0016",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in SAP Software. Der Fehler besteht aufgrund einer SQL Injection in der Komponente Business Planning and Consolidation MS. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um Daten zu manipulieren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-01-09T23:00:00.000+00:00",
      "title": "CVE-2023-0016"
    },
    {
      "cve": "CVE-2023-0018",
      "notes": [
        {
          "category": "description",
          "text": "In SAP Software existieren mehrere Cross-Site Scripting Schwachstellen in den Komponenten NetWeaver AS for ABAP and ABAP Platform and BusinessObjects Business Intelligence Platform. HTML und Script-Eingaben werden nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, anonymer oder authentisierter Angreifer kann durch Ausnutzung dieser Schwachstellen beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-01-09T23:00:00.000+00:00",
      "title": "CVE-2023-0018"
    },
    {
      "cve": "CVE-2023-0015",
      "notes": [
        {
          "category": "description",
          "text": "In SAP Software existieren mehrere Cross-Site Scripting Schwachstellen in den Komponenten NetWeaver AS for ABAP and ABAP Platform and BusinessObjects Business Intelligence Platform. HTML und Script-Eingaben werden nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, anonymer oder authentisierter Angreifer kann durch Ausnutzung dieser Schwachstellen beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-01-09T23:00:00.000+00:00",
      "title": "CVE-2023-0015"
    },
    {
      "cve": "CVE-2023-0013",
      "notes": [
        {
          "category": "description",
          "text": "In SAP Software existieren mehrere Cross-Site Scripting Schwachstellen in den Komponenten NetWeaver AS for ABAP and ABAP Platform and BusinessObjects Business Intelligence Platform. HTML und Script-Eingaben werden nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, anonymer oder authentisierter Angreifer kann durch Ausnutzung dieser Schwachstellen beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-01-09T23:00:00.000+00:00",
      "title": "CVE-2023-0013"
    },
    {
      "cve": "CVE-2023-0017",
      "notes": [
        {
          "category": "description",
          "text": "In SAP Software existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten Host Agent, NetWeaver AS for ABAP und ABAP Platform und NetWeaver AS for Java aufgrund einer lokalen Privilegienerweiterung, eines Capture-Replays und einer unzul\u00e4ssigen Zugriffskontrolle. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern. Das erfolgreiche Ausnutzen einer dieser Schwachstellen erfordert erh\u00f6hte Rechte."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-01-09T23:00:00.000+00:00",
      "title": "CVE-2023-0017"
    },
    {
      "cve": "CVE-2023-0014",
      "notes": [
        {
          "category": "description",
          "text": "In SAP Software existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten Host Agent, NetWeaver AS for ABAP und ABAP Platform und NetWeaver AS for Java aufgrund einer lokalen Privilegienerweiterung, eines Capture-Replays und einer unzul\u00e4ssigen Zugriffskontrolle. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern. Das erfolgreiche Ausnutzen einer dieser Schwachstellen erfordert erh\u00f6hte Rechte."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-01-09T23:00:00.000+00:00",
      "title": "CVE-2023-0014"
    },
    {
      "cve": "CVE-2023-0012",
      "notes": [
        {
          "category": "description",
          "text": "In SAP Software existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten Host Agent, NetWeaver AS for ABAP und ABAP Platform und NetWeaver AS for Java aufgrund einer lokalen Privilegienerweiterung, eines Capture-Replays und einer unzul\u00e4ssigen Zugriffskontrolle. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern. Das erfolgreiche Ausnutzen einer dieser Schwachstellen erfordert erh\u00f6hte Rechte."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-01-09T23:00:00.000+00:00",
      "title": "CVE-2023-0012"
    }
  ]
}

GHSA-8PHC-JHVP-25CW

Vulnerability from github – Published: 2023-01-10 06:30 – Updated: 2023-01-13 18:30

Details

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-0017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-10T04:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An unauthenticated attacker in SAP NetWeaver AS for Java - version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable.",
  "id": "GHSA-8phc-jhvp-25cw",
  "modified": "2023-01-13T18:30:18Z",
  "published": "2023-01-10T06:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0017"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3268093"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CNVD-2023-03052

Vulnerability from cnvd - Published: 2023-01-16

Title

SAP NetWeaver AS访问控制错误漏洞

Description

SAP NetWeaver AS是德国思爱普（SAP）公司的一款SAP网络应用服务器。它不仅能提供网络服务，且还是SAP软件的基本平台。基于Java的SAP NetWeaver AS 7.50版本存在访问控制错误漏洞，该漏洞源于其访问控制不当，未经身份验证的攻击者可利用此漏洞附加到开放接口并使用开放的命名和目录API访问服务，这些服务可用于执行影响当前系统上用户和数据的未授权操作。

Severity

高

Patch Name

SAP NetWeaver AS访问控制错误漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://launchpad.support.sap.com/#/notes/3268093

Reference

https://nvd.nist.gov/vuln/detail/CVE-2023-0017

Impacted products

Name
SAP SAP NetWeaver AS 7.5

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-0017",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-0017"
    }
  },
  "description": "SAP NetWeaver AS\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u6b3eSAP\u7f51\u7edc\u5e94\u7528\u670d\u52a1\u5668\u3002\u5b83\u4e0d\u4ec5\u80fd\u63d0\u4f9b\u7f51\u7edc\u670d\u52a1\uff0c\u4e14\u8fd8\u662fSAP\u8f6f\u4ef6\u7684\u57fa\u672c\u5e73\u53f0\u3002\n\n\u57fa\u4e8eJava\u7684SAP NetWeaver AS 7.50\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5176\u8bbf\u95ee\u63a7\u5236\u4e0d\u5f53\uff0c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u9644\u52a0\u5230\u5f00\u653e\u63a5\u53e3\u5e76\u4f7f\u7528\u5f00\u653e\u7684\u547d\u540d\u548c\u76ee\u5f55API\u8bbf\u95ee\u670d\u52a1\uff0c\u8fd9\u4e9b\u670d\u52a1\u53ef\u7528\u4e8e\u6267\u884c\u5f71\u54cd\u5f53\u524d\u7cfb\u7edf\u4e0a\u7528\u6237\u548c\u6570\u636e\u7684\u672a\u6388\u6743\u64cd\u4f5c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://launchpad.support.sap.com/#/notes/3268093",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-03052",
  "openTime": "2023-01-16",
  "patchDescription": "SAP NetWeaver AS\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u6b3eSAP\u7f51\u7edc\u5e94\u7528\u670d\u52a1\u5668\u3002\u5b83\u4e0d\u4ec5\u80fd\u63d0\u4f9b\u7f51\u7edc\u670d\u52a1\uff0c\u4e14\u8fd8\u662fSAP\u8f6f\u4ef6\u7684\u57fa\u672c\u5e73\u53f0\u3002\r\n\r\n\u57fa\u4e8eJava\u7684SAP NetWeaver AS 7.50\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5176\u8bbf\u95ee\u63a7\u5236\u4e0d\u5f53\uff0c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u9644\u52a0\u5230\u5f00\u653e\u63a5\u53e3\u5e76\u4f7f\u7528\u5f00\u653e\u7684\u547d\u540d\u548c\u76ee\u5f55API\u8bbf\u95ee\u670d\u52a1\uff0c\u8fd9\u4e9b\u670d\u52a1\u53ef\u7528\u4e8e\u6267\u884c\u5f71\u54cd\u5f53\u524d\u7cfb\u7edf\u4e0a\u7528\u6237\u548c\u6570\u636e\u7684\u672a\u6388\u6743\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP NetWeaver AS\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "SAP SAP NetWeaver AS 7.5"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-0017",
  "serverity": "\u9ad8",
  "submitTime": "2023-01-12",
  "title": "SAP NetWeaver AS\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-0017 (GCVE-0-2023-0017)

CERTFR-2023-AVI-0019

Solution

CERTFR-2023-AVI-0019

Solution

FKIE_CVE-2023-0017

GSD-2023-0017

WID-SEC-W-2023-0040

GHSA-8PHC-JHVP-25CW

CNVD-2023-03052

Tags

Sightings

Nomenclature