CVE-2023-40309

CWE-863 — Incorrect Authorization CWE-862 — Missing Authorization3 documents3 sources

Severity

9.8CRITICAL

EPSS

0.2%

top 62.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Commoncryptolib SAP SE SAP Content Server SAP SE SAP Extended Application Services AND Runtime (xsa)+13 more

Timeline

PublishedSep 12

Latest updateSep 15

Description

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages15 packages

▶NVDsap/hana_database2.0

▶NVDsap/commoncryptolib8.0.0

▶CVEListV5sap_se/sap_hana_database2.00

▶NVDsap/netweaver_application17 versions+16

▶CVEListV5sap_se/sap_commoncryptolib8

🔴Vulnerability Details

GHSA

GHSA-42qx-rv8j-r8f3: SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated u↗2023-09-15

▶

CVEList

Missing Authorization check in SAP CommonCryptoLib↗2023-09-12

▶