cvelistv5 - cve-2023-24522

CVE-2023-24522 (GCVE-0-2023-24522)

Vulnerability from cvelistv5 – Published: 2023-02-14 03:17 – Updated: 2025-03-20 20:31

Summary

Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

sap

References

URL

Tags

	https://launchpad.support.sap.com/#/notes/3269118
	https://www.sap.com/documents/2022/02/fa865ea4-16…

Impacted products

	Vendor	Product	Version
	SAP	NetWeaver AS ABAP (BSP Framework)	Affected: 700 Affected: 701 Affected: 702 Affected: 731 Affected: 740

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:56:04.378Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://launchpad.support.sap.com/#/notes/3269118"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-24522",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-20T20:31:22.712249Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-20T20:31:30.924Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "NetWeaver AS ABAP (BSP Framework)",
          "vendor": "SAP",
          "versions": [
            {
              "status": "affected",
              "version": "700"
            },
            {
              "status": "affected",
              "version": "701"
            },
            {
              "status": "affected",
              "version": "702"
            },
            {
              "status": "affected",
              "version": "731"
            },
            {
              "status": "affected",
              "version": "740"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDue to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.\u003c/p\u003e"
            }
          ],
          "value": "Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "eng",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-11T21:26:34.087Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://launchpad.support.sap.com/#/notes/3269118"
        },
        {
          "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2023-24522",
    "datePublished": "2023-02-14T03:17:02.758Z",
    "dateReserved": "2023-01-25T15:46:55.581Z",
    "dateUpdated": "2025-03-20T20:31:30.924Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"98B2522A-B850-4EC2-B2F2-5EBF36801B39\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"706FEB9E-3EE9-405E-A8C9-733DAF68AC6D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5CC29738-CF17-4E6B-9C9E-879B17F7E001\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"127E508F-6CC1-41C8-96DF-8D14FFDD4020\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.\\n\\n\"}]",
      "id": "CVE-2023-24522",
      "lastModified": "2024-11-21T07:48:02.843",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cna@sap.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}]}",
      "published": "2023-02-14T04:15:12.423",
      "references": "[{\"url\": \"https://launchpad.support.sap.com/#/notes/3269118\", \"source\": \"cna@sap.com\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"source\": \"cna@sap.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://launchpad.support.sap.com/#/notes/3269118\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cna@sap.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cna@sap.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-24522\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2023-02-14T04:15:12.423\",\"lastModified\":\"2024-11-21T07:48:02.843\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.\\n\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"98B2522A-B850-4EC2-B2F2-5EBF36801B39\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"706FEB9E-3EE9-405E-A8C9-733DAF68AC6D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5CC29738-CF17-4E6B-9C9E-879B17F7E001\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"127E508F-6CC1-41C8-96DF-8D14FFDD4020\"}]}]}],\"references\":[{\"url\":\"https://launchpad.support.sap.com/#/notes/3269118\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://launchpad.support.sap.com/#/notes/3269118\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://launchpad.support.sap.com/#/notes/3269118\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T10:56:04.378Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-24522\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-20T20:31:22.712249Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-20T20:31:26.377Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SAP\", \"product\": \"NetWeaver AS ABAP (BSP Framework)\", \"versions\": [{\"status\": \"affected\", \"version\": \"700\"}, {\"status\": \"affected\", \"version\": \"701\"}, {\"status\": \"affected\", \"version\": \"702\"}, {\"status\": \"affected\", \"version\": \"731\"}, {\"status\": \"affected\", \"version\": \"740\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://launchpad.support.sap.com/#/notes/3269118\"}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eDue to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"eng\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"shortName\": \"sap\", \"dateUpdated\": \"2023-04-11T21:26:34.087Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-24522\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-20T20:31:30.924Z\", \"dateReserved\": \"2023-01-25T15:46:55.581Z\", \"assignerOrgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"datePublished\": \"2023-02-14T03:17:02.758Z\", \"assignerShortName\": \"sap\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CNVD-2023-40169

Vulnerability from cnvd - Published: 2023-05-25

Title

SAP NetWeaver AS跨站脚本漏洞（CNVD-2023-40169）

Description

SAP NetWeaver AS是德国思爱普（SAP）公司的一款SAP网络应用服务器。它不仅能提供网络服务，且还是SAP软件的基本平台。 SAP NetWeaver AS ABAP(Business Server Pages)700版本、701版本、702版本、731版本、740版本存在跨站脚本漏洞。攻击者利用该漏洞注入恶意代码来更改用户的当前会话并获得访问数据的权限。

Severity

中

Patch Name

SAP NetWeaver AS跨站脚本漏洞（CNVD-2023-40169）的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://launchpad.support.sap.com/#/notes/3269118

Reference

https://nvd.nist.gov/vuln/detail/CVE-2023-24522

Impacted products

Name
['SAP Netweaver Application Server ABAP 740', 'SAP Netweaver Application Server ABAP 702', 'SAP Netweaver Application Server ABAP 700', 'SAP Netweaver Application Server ABAP 731', 'SAP Netweaver Application Server ABAP 701']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-24522",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-24522"
    }
  },
  "description": "SAP NetWeaver AS\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u6b3eSAP\u7f51\u7edc\u5e94\u7528\u670d\u52a1\u5668\u3002\u5b83\u4e0d\u4ec5\u80fd\u63d0\u4f9b\u7f51\u7edc\u670d\u52a1\uff0c\u4e14\u8fd8\u662fSAP\u8f6f\u4ef6\u7684\u57fa\u672c\u5e73\u53f0\u3002\n\nSAP NetWeaver AS ABAP(Business Server Pages)700\u7248\u672c\u3001701\u7248\u672c\u3001702\u7248\u672c\u3001731\u7248\u672c\u3001740\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u6076\u610f\u4ee3\u7801\u6765\u66f4\u6539\u7528\u6237\u7684\u5f53\u524d\u4f1a\u8bdd\u5e76\u83b7\u5f97\u8bbf\u95ee\u6570\u636e\u7684\u6743\u9650\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a \r\nhttps://launchpad.support.sap.com/#/notes/3269118",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-40169",
  "openTime": "2023-05-25",
  "patchDescription": "SAP NetWeaver AS\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u6b3eSAP\u7f51\u7edc\u5e94\u7528\u670d\u52a1\u5668\u3002\u5b83\u4e0d\u4ec5\u80fd\u63d0\u4f9b\u7f51\u7edc\u670d\u52a1\uff0c\u4e14\u8fd8\u662fSAP\u8f6f\u4ef6\u7684\u57fa\u672c\u5e73\u53f0\u3002\r\n\r\nSAP NetWeaver AS ABAP(Business Server Pages)700\u7248\u672c\u3001701\u7248\u672c\u3001702\u7248\u672c\u3001731\u7248\u672c\u3001740\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u6076\u610f\u4ee3\u7801\u6765\u66f4\u6539\u7528\u6237\u7684\u5f53\u524d\u4f1a\u8bdd\u5e76\u83b7\u5f97\u8bbf\u95ee\u6570\u636e\u7684\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP NetWeaver AS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2023-40169\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "SAP Netweaver Application Server ABAP 740",
      "SAP Netweaver Application Server ABAP 702",
      "SAP Netweaver Application Server ABAP 700",
      "SAP Netweaver Application Server ABAP 731",
      "SAP Netweaver Application Server ABAP 701"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-24522",
  "serverity": "\u4e2d",
  "submitTime": "2023-03-01",
  "title": "SAP NetWeaver AS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2023-40169\uff09"
}

WID-SEC-W-2023-0356

Vulnerability from csaf_certbund - Published: 2023-02-13 23:00 - Updated: 2023-02-13 23:00

Summary

SAP Software: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

SAP stellt unternehmensweite Lösungen für Geschäftsprozesse wie Buchführung, Vertrieb, Einkauf und Lagerhaltung zur Verfügung.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in SAP Software ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden.

Betroffene Betriebssysteme

- UNIX - Linux - MacOS X - Windows - Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "SAP stellt unternehmensweite L\u00f6sungen f\u00fcr Gesch\u00e4ftsprozesse wie Buchf\u00fchrung, Vertrieb, Einkauf und Lagerhaltung zur Verf\u00fcgung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in SAP Software ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- MacOS X\n- Windows\n- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-0356 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0356.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-0356 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0356"
      },
      {
        "category": "external",
        "summary": "SAP Patchday Februar 2023 vom 2023-02-13",
        "url": "https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a\u0026rc=10"
      }
    ],
    "source_lang": "en-US",
    "title": "SAP Software: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-02-13T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:43:30.138+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-0356",
      "initial_release_date": "2023-02-13T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-02-13T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SAP Software",
            "product": {
              "name": "SAP Software",
              "product_id": "T016476",
              "product_identification_helper": {
                "cpe": "cpe:/a:sap:sap:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SAP"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-25614",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-25614"
    },
    {
      "cve": "CVE-2023-24530",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-24530"
    },
    {
      "cve": "CVE-2023-24529",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-24529"
    },
    {
      "cve": "CVE-2023-24528",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-24528"
    },
    {
      "cve": "CVE-2023-24525",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-24525"
    },
    {
      "cve": "CVE-2023-24524",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-24524"
    },
    {
      "cve": "CVE-2023-24523",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-24523"
    },
    {
      "cve": "CVE-2023-24522",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-24522"
    },
    {
      "cve": "CVE-2023-24521",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-24521"
    },
    {
      "cve": "CVE-2023-23860",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-23860"
    },
    {
      "cve": "CVE-2023-23859",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-23859"
    },
    {
      "cve": "CVE-2023-23858",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-23858"
    },
    {
      "cve": "CVE-2023-23856",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-23856"
    },
    {
      "cve": "CVE-2023-23855",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-23855"
    },
    {
      "cve": "CVE-2023-23854",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-23854"
    },
    {
      "cve": "CVE-2023-23853",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-23853"
    },
    {
      "cve": "CVE-2023-23852",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-23852"
    },
    {
      "cve": "CVE-2023-23851",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-23851"
    },
    {
      "cve": "CVE-2023-0025",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-0025"
    },
    {
      "cve": "CVE-2023-0024",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-0024"
    },
    {
      "cve": "CVE-2023-0020",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-0020"
    },
    {
      "cve": "CVE-2023-0019",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-0019"
    },
    {
      "cve": "CVE-2023-0013",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2023-0013"
    },
    {
      "cve": "CVE-2022-41268",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2022-41268"
    },
    {
      "cve": "CVE-2022-41264",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2022-41264"
    },
    {
      "cve": "CVE-2022-41262",
      "notes": [
        {
          "category": "description",
          "text": "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates f\u00fcr diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrit\u00e4t und die Verf\u00fcgbarkeit zu gef\u00e4hrden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016476"
        ]
      },
      "release_date": "2023-02-13T23:00:00.000+00:00",
      "title": "CVE-2022-41262"
    }
  ]
}

CERTFR-2023-AVI-0125

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAPBASIS versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790 et 791
SAP	N/A	NetWeaver AS ABAP (Business Server Pages application) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G et 75H
SAP	N/A	BusinessObjects Business Intelligence (Web Intelligence UI) version 430
SAP	N/A	BusinessObjects Business Intelligence platform (CMC) versions 420 et 430
SAP	N/A	NetWeaver AS for ABAP and ABAP Platform version 740, 750, 751, 752, 753, 754, 755, 756, 757, 789 et 790
SAP	N/A	CRM (WebClient UI) versions 700, 701, 702, 731, 740, 750, 751 et 752, WEBCUIF 748, 800 et 801, S4FND 102 et 103
SAP	N/A	NetWeaver Application Server for ABAP and ABAP Platform versions 700, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789 et 790
SAP	N/A	S/4 HANA (Map Treasury Correspondence Format Data) versions 104 et 105
SAP	N/A	Host Agent Service versions 7.21 et 7.22
SAP	N/A	Fiori apps 1.0 for travel management in SAP ERP (My Travel Requests) version 600
SAP	N/A	BusinessObjects Business Intelligence platform (Analysis edition for OLAP) versions 420 et 430
SAP	N/A	NetWeaver AS ABAP (BSP Framework) version 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756 et 757
SAP	N/A	NetWeaver AS ABAP and ABAP Platform versions 700, 701, 702, 731, 740, 750, 751 et 752
SAP	N/A	GRC Process Control application versions GRCFND_A V1200, V8100, GRCPINW V1100_700, V1100_731 et V1200_750
SAP	N/A	Solution Manager (BSP Application) version 720
SAP	N/A	Solution Manager version 720
SAP	N/A	NetWeaver AS for ABAP and ABAP Platform version 702, 731, 740, 750, 751, 752, 753, 754, 755, 756 et 757
SAP	N/A	NetWeaver AS for Java (Http Provider Service) version 7.50
SAP	N/A	Business Planning and Consolidation versions SAP_BW 750, 751, 752, 753, 754, 755, 756 et 757, DWCORE 200 et 300 et CPMBPC 810
SAP	N/A	NetWeaver AS for ABAP and ABAP Platform versions 740, 750, 751, 752, 753, 754, 755, 756 et 757
SAP	N/A	NetWeaver AS ABAP (BSP Framework) version 700, 701, 702, 731 et 740
SAP	N/A	Business Client versions 6.5, 7.0 et 7.70
SAP	N/A	Business Planning and Consolidation versions 200 et 300

References

Title

Publication Time

Tags

Bulletin de sécurité SAP du 14 février 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAPBASIS versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790 et 791",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver AS ABAP (Business Server Pages application) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G et 75H",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "BusinessObjects Business Intelligence (Web Intelligence UI) version 430",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "BusinessObjects Business Intelligence platform (CMC) versions 420 et 430",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver AS for ABAP and ABAP Platform version 740, 750, 751, 752, 753, 754, 755, 756, 757, 789 et 790",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "CRM (WebClient UI) versions 700, 701, 702, 731, 740, 750, 751 et 752, WEBCUIF 748, 800 et 801, S4FND 102 et 103",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver Application Server for ABAP and ABAP Platform versions 700, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789 et 790",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "S/4 HANA (Map Treasury Correspondence Format Data) versions 104 et 105",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Host Agent Service versions 7.21 et 7.22",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Fiori apps 1.0 for travel management in SAP ERP (My Travel Requests) version 600",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "BusinessObjects Business Intelligence platform (Analysis edition for OLAP) versions 420 et 430",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver AS ABAP (BSP Framework) version 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756 et 757",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver AS ABAP and ABAP Platform versions 700, 701, 702, 731, 740, 750, 751 et 752",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "GRC Process Control application versions GRCFND_A V1200, V8100, GRCPINW V1100_700, V1100_731 et V1200_750",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Solution Manager (BSP Application) version 720",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Solution Manager version 720",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver AS for ABAP and ABAP Platform version 702, 731, 740, 750, 751, 752, 753, 754, 755, 756 et 757",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver AS for Java (Http Provider Service) version 7.50",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Business Planning and Consolidation versions SAP_BW 750, 751, 752, 753, 754, 755, 756 et 757, DWCORE 200 et 300 et CPMBPC 810",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver AS for ABAP and ABAP Platform versions 740, 750, 751, 752, 753, 754, 755, 756 et 757",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver AS ABAP (BSP Framework) version 700, 701, 702, 731 et 740",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Business Client versions 6.5, 7.0 et 7.70",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Business Planning and Consolidation versions 200 et 300",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-23854",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23854"
    },
    {
      "name": "CVE-2023-0020",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0020"
    },
    {
      "name": "CVE-2023-24529",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24529"
    },
    {
      "name": "CVE-2023-23859",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23859"
    },
    {
      "name": "CVE-2023-25614",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-25614"
    },
    {
      "name": "CVE-2023-24530",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24530"
    },
    {
      "name": "CVE-2023-23851",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23851"
    },
    {
      "name": "CVE-2023-23855",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23855"
    },
    {
      "name": "CVE-2023-24523",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24523"
    },
    {
      "name": "CVE-2023-24528",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24528"
    },
    {
      "name": "CVE-2023-0019",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0019"
    },
    {
      "name": "CVE-2023-24525",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24525"
    },
    {
      "name": "CVE-2023-23852",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23852"
    },
    {
      "name": "CVE-2022-41264",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41264"
    },
    {
      "name": "CVE-2023-23860",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23860"
    },
    {
      "name": "CVE-2022-41268",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41268"
    },
    {
      "name": "CVE-2023-23856",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23856"
    },
    {
      "name": "CVE-2023-24521",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24521"
    },
    {
      "name": "CVE-2023-24522",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24522"
    },
    {
      "name": "CVE-2022-41262",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41262"
    },
    {
      "name": "CVE-2023-23858",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23858"
    },
    {
      "name": "CVE-2023-23853",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23853"
    },
    {
      "name": "CVE-2023-0025",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0025"
    },
    {
      "name": "CVE-2023-0013",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0013"
    },
    {
      "name": "CVE-2023-0024",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0024"
    },
    {
      "name": "CVE-2023-24524",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24524"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0125",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-02-15T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un contournement de la\npolitique de s\u00e9curit\u00e9 et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP du 14 f\u00e9vrier 2023",
      "url": "https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a\u0026rc=1"
    }
  ]
}

CERTFR-2023-AVI-0125

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAPBASIS versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790 et 791
SAP	N/A	NetWeaver AS ABAP (Business Server Pages application) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G et 75H
SAP	N/A	BusinessObjects Business Intelligence (Web Intelligence UI) version 430
SAP	N/A	BusinessObjects Business Intelligence platform (CMC) versions 420 et 430
SAP	N/A	NetWeaver AS for ABAP and ABAP Platform version 740, 750, 751, 752, 753, 754, 755, 756, 757, 789 et 790
SAP	N/A	CRM (WebClient UI) versions 700, 701, 702, 731, 740, 750, 751 et 752, WEBCUIF 748, 800 et 801, S4FND 102 et 103
SAP	N/A	NetWeaver Application Server for ABAP and ABAP Platform versions 700, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789 et 790
SAP	N/A	S/4 HANA (Map Treasury Correspondence Format Data) versions 104 et 105
SAP	N/A	Host Agent Service versions 7.21 et 7.22
SAP	N/A	Fiori apps 1.0 for travel management in SAP ERP (My Travel Requests) version 600
SAP	N/A	BusinessObjects Business Intelligence platform (Analysis edition for OLAP) versions 420 et 430
SAP	N/A	NetWeaver AS ABAP (BSP Framework) version 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756 et 757
SAP	N/A	NetWeaver AS ABAP and ABAP Platform versions 700, 701, 702, 731, 740, 750, 751 et 752
SAP	N/A	GRC Process Control application versions GRCFND_A V1200, V8100, GRCPINW V1100_700, V1100_731 et V1200_750
SAP	N/A	Solution Manager (BSP Application) version 720
SAP	N/A	Solution Manager version 720
SAP	N/A	NetWeaver AS for ABAP and ABAP Platform version 702, 731, 740, 750, 751, 752, 753, 754, 755, 756 et 757
SAP	N/A	NetWeaver AS for Java (Http Provider Service) version 7.50
SAP	N/A	Business Planning and Consolidation versions SAP_BW 750, 751, 752, 753, 754, 755, 756 et 757, DWCORE 200 et 300 et CPMBPC 810
SAP	N/A	NetWeaver AS for ABAP and ABAP Platform versions 740, 750, 751, 752, 753, 754, 755, 756 et 757
SAP	N/A	NetWeaver AS ABAP (BSP Framework) version 700, 701, 702, 731 et 740
SAP	N/A	Business Client versions 6.5, 7.0 et 7.70
SAP	N/A	Business Planning and Consolidation versions 200 et 300

References

Title

Publication Time

Tags

Bulletin de sécurité SAP du 14 février 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAPBASIS versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790 et 791",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver AS ABAP (Business Server Pages application) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G et 75H",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "BusinessObjects Business Intelligence (Web Intelligence UI) version 430",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "BusinessObjects Business Intelligence platform (CMC) versions 420 et 430",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver AS for ABAP and ABAP Platform version 740, 750, 751, 752, 753, 754, 755, 756, 757, 789 et 790",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "CRM (WebClient UI) versions 700, 701, 702, 731, 740, 750, 751 et 752, WEBCUIF 748, 800 et 801, S4FND 102 et 103",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver Application Server for ABAP and ABAP Platform versions 700, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789 et 790",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "S/4 HANA (Map Treasury Correspondence Format Data) versions 104 et 105",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Host Agent Service versions 7.21 et 7.22",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Fiori apps 1.0 for travel management in SAP ERP (My Travel Requests) version 600",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "BusinessObjects Business Intelligence platform (Analysis edition for OLAP) versions 420 et 430",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver AS ABAP (BSP Framework) version 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756 et 757",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver AS ABAP and ABAP Platform versions 700, 701, 702, 731, 740, 750, 751 et 752",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "GRC Process Control application versions GRCFND_A V1200, V8100, GRCPINW V1100_700, V1100_731 et V1200_750",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Solution Manager (BSP Application) version 720",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Solution Manager version 720",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver AS for ABAP and ABAP Platform version 702, 731, 740, 750, 751, 752, 753, 754, 755, 756 et 757",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver AS for Java (Http Provider Service) version 7.50",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Business Planning and Consolidation versions SAP_BW 750, 751, 752, 753, 754, 755, 756 et 757, DWCORE 200 et 300 et CPMBPC 810",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver AS for ABAP and ABAP Platform versions 740, 750, 751, 752, 753, 754, 755, 756 et 757",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver AS ABAP (BSP Framework) version 700, 701, 702, 731 et 740",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Business Client versions 6.5, 7.0 et 7.70",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Business Planning and Consolidation versions 200 et 300",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-23854",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23854"
    },
    {
      "name": "CVE-2023-0020",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0020"
    },
    {
      "name": "CVE-2023-24529",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24529"
    },
    {
      "name": "CVE-2023-23859",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23859"
    },
    {
      "name": "CVE-2023-25614",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-25614"
    },
    {
      "name": "CVE-2023-24530",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24530"
    },
    {
      "name": "CVE-2023-23851",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23851"
    },
    {
      "name": "CVE-2023-23855",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23855"
    },
    {
      "name": "CVE-2023-24523",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24523"
    },
    {
      "name": "CVE-2023-24528",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24528"
    },
    {
      "name": "CVE-2023-0019",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0019"
    },
    {
      "name": "CVE-2023-24525",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24525"
    },
    {
      "name": "CVE-2023-23852",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23852"
    },
    {
      "name": "CVE-2022-41264",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41264"
    },
    {
      "name": "CVE-2023-23860",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23860"
    },
    {
      "name": "CVE-2022-41268",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41268"
    },
    {
      "name": "CVE-2023-23856",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23856"
    },
    {
      "name": "CVE-2023-24521",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24521"
    },
    {
      "name": "CVE-2023-24522",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24522"
    },
    {
      "name": "CVE-2022-41262",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41262"
    },
    {
      "name": "CVE-2023-23858",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23858"
    },
    {
      "name": "CVE-2023-23853",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23853"
    },
    {
      "name": "CVE-2023-0025",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0025"
    },
    {
      "name": "CVE-2023-0013",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0013"
    },
    {
      "name": "CVE-2023-0024",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0024"
    },
    {
      "name": "CVE-2023-24524",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24524"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0125",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-02-15T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un contournement de la\npolitique de s\u00e9curit\u00e9 et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP du 14 f\u00e9vrier 2023",
      "url": "https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a\u0026rc=1"
    }
  ]
}

GHSA-MPFR-RCQQ-M4PW

Vulnerability from github – Published: 2023-02-14 06:31 – Updated: 2023-02-21 21:30

Details

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-24522"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-14T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.",
  "id": "GHSA-mpfr-rcqq-m4pw",
  "modified": "2023-02-21T21:30:18Z",
  "published": "2023-02-14T06:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24522"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3269118"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2023-24522

Vulnerability from fkie_nvd - Published: 2023-02-14 04:15 - Updated: 2024-11-21 07:48

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
cna@sap.com	https://launchpad.support.sap.com/#/notes/3269118	Permissions Required, Vendor Advisory
cna@sap.com	https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://launchpad.support.sap.com/#/notes/3269118	Permissions Required, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Impacted products

Vendor	Product	Version
sap	netweaver_application_server_abap	700
sap	netweaver_application_server_abap	701
sap	netweaver_application_server_abap	702
sap	netweaver_application_server_abap	731
sap	netweaver_application_server_abap	740

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*",
              "matchCriteriaId": "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*",
              "matchCriteriaId": "98B2522A-B850-4EC2-B2F2-5EBF36801B39",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*",
              "matchCriteriaId": "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*",
              "matchCriteriaId": "5CC29738-CF17-4E6B-9C9E-879B17F7E001",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*",
              "matchCriteriaId": "127E508F-6CC1-41C8-96DF-8D14FFDD4020",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.\n\n"
    }
  ],
  "id": "CVE-2023-24522",
  "lastModified": "2024-11-21T07:48:02.843",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "cna@sap.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-02-14T04:15:12.423",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3269118"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3269118"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "cna@sap.com",
      "type": "Primary"
    }
  ]
}

GSD-2023-24522

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-24522

Aliases

CVE-2023-24522

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-24522",
    "id": "GSD-2023-24522"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-24522"
      ],
      "details": "Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.\n\n",
      "id": "GSD-2023-24522",
      "modified": "2023-12-13T01:20:58.335786Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@sap.com",
        "ID": "CVE-2023-24522",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "NetWeaver AS ABAP (BSP Framework)",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "700"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "701"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "702"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "731"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "740"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "SAP"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-79",
                "lang": "eng",
                "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://launchpad.support.sap.com/#/notes/3269118",
            "refsource": "MISC",
            "url": "https://launchpad.support.sap.com/#/notes/3269118"
          },
          {
            "name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
            "refsource": "MISC",
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2023-24522"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.\n\n"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://launchpad.support.sap.com/#/notes/3269118",
              "refsource": "MISC",
              "tags": [
                "Permissions Required",
                "Vendor Advisory"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3269118"
            },
            {
              "name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2023-04-11T22:15Z",
      "publishedDate": "2023-02-14T04:15Z"
    }
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-24522 (GCVE-0-2023-24522)

CNVD-2023-40169

WID-SEC-W-2023-0356

CERTFR-2023-AVI-0125

Solution

CERTFR-2023-AVI-0125

Solution

GHSA-MPFR-RCQQ-M4PW

FKIE_CVE-2023-24522

GSD-2023-24522

Tags

Sightings

Nomenclature