CVE-2023-49581 — SQL Injection in SE SAP Netweaver Application Server Abap AND Abap Platform

CWE-89 — SQL Injection CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

9.4CRITICALNVD

CNA4.1

EPSS

0.1%

top 78.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Application Server Abap AND Abap Platform SAP Netweaver Application Server Abap

Timeline

PublishedDec 12

Description

SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to write data to a database table. By doing so the attacker could increase response times of the AS ABAP, leading to mild impact on availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:LExploitability: 3.9 | Impact: 5.5

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_application_server_abap_and_abap_platform4 versions+3

▶NVDsap/netweaver_application4 versions+3

🔴Vulnerability Details

CVEList

SQL Injection vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform↗2023-12-12

▶

GHSA

GHSA-ghxm-9fh8-8p5g: SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential↗2023-12-12

▶