FKIE_CVE-2026-23689

Vulnerability from fkie_nvd - Published: 2026-02-10 04:16 - Updated: 2026-02-17 15:57
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Summary
Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.
References
cna@sap.comhttps://me.sap.com/notes/3703092Permissions Required
cna@sap.comhttps://url.sap/sapsecuritypatchdayVendor Advisory
Impacted products
Vendor Product Version
sap advanced_planning_and_optimization 713
sap advanced_planning_and_optimization 714
sap supply_chain_management 700
sap supply_chain_management 701
sap supply_chain_management 702
sap supply_chain_management 712
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:advanced_planning_and_optimization:713:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E303C34-3616-489F-BEA3-456E302E2D38",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:advanced_planning_and_optimization:714:*:*:*:*:*:*:*",
              "matchCriteriaId": "82CF8FC0-AECD-4ACC-B823-45645A5B2D83",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:supply_chain_management:700:*:*:*:*:*:*:*",
              "matchCriteriaId": "A19AC4DB-E940-46AC-9E3D-4108B3F07BC0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:supply_chain_management:701:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0A1E0EC-CA14-4AA4-A798-E4E9AD59E45B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:supply_chain_management:702:*:*:*:*:*:*:*",
              "matchCriteriaId": "D0B74ECC-DC88-4171-B091-49BD76491336",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:supply_chain_management:712:*:*:*:*:*:*:*",
              "matchCriteriaId": "9172B1E7-CEDA-4A60-9915-E744FC1319FC",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected."
    },
    {
      "lang": "es",
      "value": "Debido a una vulnerabilidad de consumo de recursos no controlado (denegaci\u00f3n de servicio), un atacante autenticado con privilegios de usuario regular y acceso a la red puede invocar repetidamente un m\u00f3dulo de funci\u00f3n habilitado remotamente con un par\u00e1metro de control de bucle excesivamente grande. Esto desencadena una ejecuci\u00f3n de bucle prolongada que consume recursos excesivos del sistema, lo que podr\u00eda dejar el sistema no disponible. La explotaci\u00f3n exitosa resulta en una condici\u00f3n de denegaci\u00f3n de servicio que afecta la disponibilidad, mientras que la confidencialidad y la integridad permanecen inafectadas."
    }
  ],
  "id": "CVE-2026-23689",
  "lastModified": "2026-02-17T15:57:04.273",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 4.0,
        "source": "cna@sap.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 4.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-02-10T04:16:03.500",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://me.sap.com/notes/3703092"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-606"
        }
      ],
      "source": "cna@sap.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.