CVE-2023-42475 — Information Exposure via Error Message in SE SAP S 4hana Core

CWE-209 — Information Exposure via Error Message CWE-200 — Sensitive Information Exposure CWE-197 — Numeric Truncation Error7 documents6 sources

Severity

4.3MEDIUMNVD

CISA9.8

EPSS

0.2%

top 57.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP S 4hana Core SAP S 4hana

Timeline

PublishedOct 10

Description

The Statutory Reporting application has a vulnerable file storage location, potentially enabling low privileged attacker to read server files with minimal impact on confidentiality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDsap/s_4hana6 versions+5

▶CVEListV5sap_se/sap_s_4hana_core6 versions+5

🔴Vulnerability Details

CVEList

Information Disclosure Vulnerability in Statutory Reporting↗2023-10-10

▶

GHSA

GHSA-wj24-9p82-86v2: The Statutory Reporting application has a vulnerable file storage location, potentially enabling low privileged attacker to read server files with min↗2023-10-10

▶

📋Vendor Advisories

CISA

Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability↗2022-12-13

▶

📐Framework References

ATT&CK

BOLDMOVE↗

▶

ATT&CK

COATHANGER↗

▶