CVE-2023-0016

SAP BPC MS 10.0 - version 810, allows an unauthorized attacker to execute crafted database queries. The exploitation of this issue could lead to SQL injection vulnerability and could allow an attacker to access, modify, and/or delete data from the backend database.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://launchpad.support.sap.com/#/notes/3275391	Permissions Required Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:business_planning_and_consolidation:800:::::microsoft::
	cpe:2.3:a:sap:business_planning_and_consolidation:810:::::microsoft::

History

No history.

Information

Published : 2023-01-10 04:15

Updated : 2024-02-28 19:51

NVD link : CVE-2023-0016

Mitre link : CVE-2023-0016

CVE.ORG link : CVE-2023-0016

JSON object : View

Products Affected

sap

business_planning_and_consolidation

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2023-0016", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2023-01-10T04:15:09.797", "references": [{"url": "https://launchpad.support.sap.com/#/notes/3275391", "tags": ["Permissions Required", "Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Secondary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "SAP BPC MS 10.0 - version 810, allows an unauthorized attacker to execute crafted database queries. The exploitation of this issue could lead to SQL injection vulnerability and could allow an attacker to access, modify, and/or delete data from the backend database."}], "lastModified": "2023-01-18T20:28:20.350", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:business_planning_and_consolidation:800:*:*:*:*:microsoft:*:*", "vulnerable": true, "matchCriteriaId": "6C81EEA1-659E-4080-84E6-8F61937F95B9"}, {"criteria": "cpe:2.3:a:sap:business_planning_and_consolidation:810:*:*:*:*:microsoft:*:*", "vulnerable": true, "matchCriteriaId": "AAB2F486-AF82-4469-ACC5-9AC62E8449E0"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}