CVE-2023-39439Empty Password in Configuration File in SE SAP Commerce

CWE-258Empty Password in Configuration FileCWE-1390Weak Authentication3 documents3 sources
Severity
9.8CRITICALNVD
CNA8.8
EPSS
0.3%
top 46.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
SAP SE SAP CommerceSAP Commerce CloudSAP Commerce Hycom
Timeline
PublishedAug 8

Description

SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDsap/commerce_hycom2105, 2205+1
CVEListV5sap_se/sap_commerceCOM_CLOUD 2211, HY_COM 2105, HY_COM 2205+2

🔴Vulnerability Details

2
GHSA
GHSA-c745-qw8j-jhvx: SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphras2023-08-08
CVEList
SAP Commerce accepts empty passphrases.2023-08-08
CVE-2023-39439 — Empty Password in Configuration File | cvebase