CVE-2023-24523

CWE-668Exposure to Wrong Sphere3 documents3 sources
Severity
8.8HIGH
EPSS
0.1%
top 69.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP Host Agent ServiceSAP Host Agent
Timeline
PublishedFeb 14

Description

An attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent (Start Service) - versions 7.21, 7.22, can submit a crafted ConfigureOutsideDiscovery request with an operating system command which will be executed with administrator privileges. The OS command can read or modify any user or system data and can make the system unavailable.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0

Affected Packages2 packages

CVEListV5sap/host_agent_service7.21, 7.22+1
NVDsap/host_agent7.21, 7.22+1

🔴Vulnerability Details

2
CVEList
CVE-2023-24523: An attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent (Start Service) - versions 72023-02-14
GHSA
GHSA-xxh6-f3x3-2xgf: An attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent (Start Service) - versions 72023-02-14
CVE-2023-24523 (HIGH CVSS 8.8) | An attacker authenticated as a non- | cvebase.io