CVE-2023-24526

CWE-306 — Missing Authentication3 documents3 sources

Severity

5.3MEDIUM

EPSS

0.4%

top 40.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP Netweaver AS Java FOR Classload Service SAP Netweaver Application Server Java

Timeline

PublishedMar 14

Description

SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. This failure has a low impact on confidentiality of the data such that an unassigned user can read non-sensitive server data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5sap/netweaver_as_java_for_classload_service7.50

▶NVDsap/netweaver_application7.50

🔴Vulnerability Details

GHSA

GHSA-gv3m-g54h-56c6: SAP NetWeaver Application Server Java for Classload Service - version 7↗2023-03-14

▶

CVEList

Improper Access Control in SAP NetWeaver AS Java (Classload Service)↗2023-03-14

▶