CVE-2023-40309

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://me.sap.com/notes/3340576	Permissions Required Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:commoncryptolib:8.0.0:::::::*
	cpe:2.3:a:sap:content_server:6.50:::::::*
	cpe:2.3:a:sap:content_server:7.53:::::::*
	cpe:2.3:a:sap:content_server:7.54:::::::*
	cpe:2.3:a:sap:extended_application_services_and_runtime:1.0:::::::*
	cpe:2.3:a:sap:hana_database:2.0:::::::*
	cpe:2.3:a:sap:host_agent:722:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.53:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.54:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.77:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.85:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.89:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.91:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.92:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.93:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_8.04:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.53:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_8.04:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.53:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.54:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.77:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.85:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.89:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.91:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.92:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.93:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_8.04:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.53:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_8.04:::::::*
	cpe:2.3:a:sap:sapssoext:17.0:::::::*
	cpe:2.3:a:sap:web_dispatcher:7.22ext:::::::*
	cpe:2.3:a:sap:web_dispatcher:7.53:::::::*
	cpe:2.3:a:sap:web_dispatcher:7.54:::::::*
	cpe:2.3:a:sap:web_dispatcher:7.77:::::::*
	cpe:2.3:a:sap:web_dispatcher:7.85:::::::*
	cpe:2.3:a:sap:web_dispatcher:7.89:::::::*

History

15 Sep 2023, 17:05

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~(MISC) https://me.sap.com/notes/3340576 -~~	(MISC) https://me.sap.com/notes/3340576 - Permissions Required, Vendor Advisory
References	~~(MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html -~~	(MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory
CPE		cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_8.04:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.54:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22ext:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.22:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22ext:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.53:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.53:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_8.04:::::::* cpe:2.3:a:sap:web_dispatcher:7.89:::::::* cpe:2.3:a:sap:web_dispatcher:7.53:::::::* cpe:2.3:a:sap:sapssoext:17.0:::::::* cpe:2.3:a:sap:web_dispatcher:7.54:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.22:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.89:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22ext:::::::* cpe:2.3:a:sap:web_dispatcher:7.22ext:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:7.22ext:::::::* cpe:2.3:a:sap:host_agent:722:::::::* cpe:2.3:a:sap:web_dispatcher:7.77:::::::* cpe:2.3:a:sap:hana_database:2.0:::::::* cpe:2.3:a:sap:content_server:7.53:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_8.04:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.92:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.91:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.85:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.89:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.53:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.91:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.53:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.93:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.92:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.93:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.54:::::::* cpe:2.3:a:sap:extended_application_services_and_runtime:1.0:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22:::::::* cpe:2.3:a:sap:content_server:7.54:::::::* cpe:2.3:a:sap:commoncryptolib:8.0.0:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22ext:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_8.04:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.85:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.77:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.77:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22:::::::* cpe:2.3:a:sap:content_server:6.50:::::::* cpe:2.3:a:sap:web_dispatcher:7.85:::::::*
First Time		Sap host Agent Sap hana Database Sap netweaver Application Server Java Sap content Server Sap Sap extended Application Services And Runtime Sap sapssoext Sap netweaver Application Server Abap Sap commoncryptolib Sap web Dispatcher

12 Sep 2023, 11:52

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-12 03:15

Updated : 2024-02-28 20:33

NVD link : CVE-2023-40309

Mitre link : CVE-2023-40309

CVE.ORG link : CVE-2023-40309

JSON object : View

Products Affected

sap

commoncryptolib
netweaver_application_server_abap
web_dispatcher
netweaver_application_server_java
sapssoext
extended_application_services_and_runtime
host_agent
content_server
hana_database

CWE

CWE-862

Missing Authorization

9.8 /10