CVE-2023-33992

Summary

The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP Business Warehouse and SAP BW/4HANASAP_BW 730affected
SAP_SESAP Business Warehouse and SAP BW/4HANASAP_BW 731affected
SAP_SESAP Business Warehouse and SAP BW/4HANASAP_BW 740affected
SAP_SESAP Business Warehouse and SAP BW/4HANASAP_BW 750affected
SAP_SESAP Business Warehouse and SAP BW/4HANADW4CORE 100affected
SAP_SESAP Business Warehouse and SAP BW/4HANADW4CORE 200affected
SAP_SESAP Business Warehouse and SAP BW/4HANADW4CORE 300affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References