FKIE_CVE-2026-23681

Vulnerability from fkie_nvd - Published: 2026-02-10 04:16 - Updated: 2026-02-17 16:04
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Due to missing authorization check in a function module in SAP Support Tools Plug-In, an authenticated attacker could invoke specific function modules to retrieve information about the system and its configuration. This disclosure of the system information could assist the attacker to plan subsequent attacks. This vulnerability has a low impact on the confidentiality of the application, with no effect on its integrity or availability.
References
cna@sap.comhttps://me.sap.com/notes/3680416Permissions Required
cna@sap.comhttps://url.sap/sapsecuritypatchdayVendor Advisory
Impacted products
Vendor Product Version
sap solution_tools_plug-in 740
sap solution_tools_plug-in 758
sap solution_tools_plug-in 2008_1_700
sap solution_tools_plug-in 2008_1_710
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:solution_tools_plug-in:740:*:*:*:*:*:*:*",
              "matchCriteriaId": "3E087FCF-62FE-48A7-80B1-1BEDEA5716D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:solution_tools_plug-in:758:*:*:*:*:*:*:*",
              "matchCriteriaId": "F9C9CBFC-453A-4B9E-87B6-466369CE6AD6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:solution_tools_plug-in:2008_1_700:*:*:*:*:*:*:*",
              "matchCriteriaId": "2DC728B3-F77B-45E8-B7EC-9C78B41FA1E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:solution_tools_plug-in:2008_1_710:*:*:*:*:*:*:*",
              "matchCriteriaId": "4836C482-5A64-4373-BCB4-0185BDF83EAD",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Due to missing authorization check in a function module in SAP Support Tools Plug-In, an authenticated attacker could invoke specific function modules to retrieve information about the system and its configuration. This disclosure of the system information could assist the attacker to plan subsequent attacks. This vulnerability has a low impact on the confidentiality of the application, with no effect on its integrity or availability."
    },
    {
      "lang": "es",
      "value": "Debido a la falta de verificaci\u00f3n de autorizaci\u00f3n en un m\u00f3dulo de funci\u00f3n en el Plug-In de Herramientas de Soporte de SAP, un atacante autenticado podr\u00eda invocar m\u00f3dulos de funci\u00f3n espec\u00edficos para recuperar informaci\u00f3n sobre el sistema y su configuraci\u00f3n. Esta divulgaci\u00f3n de la informaci\u00f3n del sistema podr\u00eda ayudar al atacante a planificar ataques subsiguientes. Esta vulnerabilidad tiene un bajo impacto en la confidencialidad de la aplicaci\u00f3n, sin efecto en su integridad o disponibilidad."
    }
  ],
  "id": "CVE-2026-23681",
  "lastModified": "2026-02-17T16:04:47.287",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "cna@sap.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-02-10T04:16:02.520",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://me.sap.com/notes/3680416"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "cna@sap.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.