CVE-2023-27269

Summary

SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in an available service to overwrite the system files.  In this attack, no data can be read but potentially critical OS files can be overwritten making the system unavailable.

Affected Software

VendorProductVersion RangeStatus
SAPNetWeaver Application Server for ABAP and ABAP Platform700affected
SAPNetWeaver Application Server for ABAP and ABAP Platform701affected
SAPNetWeaver Application Server for ABAP and ABAP Platform702affected
SAPNetWeaver Application Server for ABAP and ABAP Platform731affected
SAPNetWeaver Application Server for ABAP and ABAP Platform740affected
SAPNetWeaver Application Server for ABAP and ABAP Platform750affected
SAPNetWeaver Application Server for ABAP and ABAP Platform751affected
SAPNetWeaver Application Server for ABAP and ABAP Platform752affected
SAPNetWeaver Application Server for ABAP and ABAP Platform753affected
SAPNetWeaver Application Server for ABAP and ABAP Platform754affected
SAPNetWeaver Application Server for ABAP and ABAP Platform755affected
SAPNetWeaver Application Server for ABAP and ABAP Platform756affected
SAPNetWeaver Application Server for ABAP and ABAP Platform757affected
SAPNetWeaver Application Server for ABAP and ABAP Platform791affected

Weaknesses

  • CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References