CVE-2023-33992

CWE-862 — Missing Authorization3 documents3 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 68.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Business Warehouse AND SAP Bw/4hana SAP Business Warehouse SAP Bw\/4hana

Timeline

PublishedJul 11

Description

The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:NExploitability: 0.9 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5sap_se/sap_business_warehouse_and_sap_bw/4hana7 versions+6

▶NVDsap/business_warehouse4 versions+3

▶NVDsap/bw\/4hana100, 200, 300+2

🔴Vulnerability Details

CVEList

Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA↗2023-07-11

▶

GHSA

GHSA-pgvh-wr92-g752: The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, D↗2023-07-11

▶