CVE-2023-28761 — Missing Authentication for Critical Function in SAP Netweaver Enterprise Portal

CWE-306 — Missing Authentication for Critical Function3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 40.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP Netweaver Enterprise Portal

Timeline

PublishedApr 11

Latest updateJul 6

Description

In SAP NetWeaver Enterprise Portal - version 7.50, an unauthenticated attacker can attach to an open interface and make use of an open API to access a service which will enable them to access or modify server settings and data, leading to limited impact on confidentiality and integrity.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5sap/netweaver_enterprise_portal7.50

▶NVDsap/netweaver_enterprise_portal7.50

🔴Vulnerability Details

GHSA

GHSA-7mj9-5274-6hpv: In SAP NetWeaver Enterprise Portal - version 7↗2023-07-06

▶

CVEList

Missing Authentication check in SAP NetWeaver Enterprise Portal↗2023-04-11

▶