CVE-2023-27268

CWE-284 — Improper Access Control3 documents3 sources

Severity

5.3MEDIUM

EPSS

0.4%

top 42.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP Netweaver AS Java (object Analyzing Service)SAP Netweaver Application Server FOR Java

Timeline

PublishedMar 14

Description

SAP NetWeaver AS Java (Object Analyzing Service) - version 7.50, does not perform necessary authorization checks, allowing an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to access but not modify server settings and data with no effect on availability., resulting in escalation of privileges.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5sap/netweaver_as_java_(object_analyzing_service)7.50

▶NVDsap/netweaver_application7.50

🔴Vulnerability Details

GHSA

GHSA-7gph-fg9q-775p: SAP NetWeaver AS Java (Object Analyzing Service) - version 7↗2023-03-14

▶

CVEList

Improper Access Control in SAP NetWeaver AS Java (Object Analyzing Service)↗2023-03-14

▶