CVE-2023-30744

CWE-306Missing Authentication3 documents3 sources
Severity
9.1CRITICAL
EPSS
0.3%
top 42.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP AS Netweaver JavaSAP Netweaver Application Server FOR Java
Timeline
PublishedMay 9
Latest updateJul 6

Description

In SAP AS NetWeaver JAVA - versions SERVERCORE 7.50, J2EE-FRMW 7.50, CORE-TOOLS 7.50, an unauthenticated attacker can attach to an open interface and make use of an open naming and directory API to instantiate an object which has methods which can be called without further authorization and authentication. A subsequent call to one of these methods can read or change the state of existing services without any effect on availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:NExploitability: 3.9 | Impact: 4.2

Affected Packages2 packages

CVEListV5sap_se/sap_as_netweaver_javaCORE-TOOLS 7.50, J2EE-FRMW 7.50, SERVERCORE 7.50+2

🔴Vulnerability Details

2
GHSA
GHSA-464f-pfvj-h8rq: In SAP AS NetWeaver JAVA - versions SERVERCORE 72023-07-06
CVEList
Improper access control during application start-up in SAP AS NetWeaver JAVA.2023-05-09
CVE-2023-30744 (CRITICAL CVSS 9.1) | In SAP AS NetWeaver JAVA - versions | cvebase.io