CVE-2023-35874
6
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Summary
SAP NetWeaver Application Server ABAP and ABAP Platform - version KRNL64NUC, 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL, 7.53, KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.92, KERNEL 7.93, under some conditions, performs improper authentication checks for functionalities that require user identity. An attacker can perform malicious actions over the network, extending the scope of impact, causing a limited impact on confidentiality, integrity and availability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform | KRNL64NUC 722 | affected |
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform | KRNL64NUC 7.22EXT | affected |
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform | KRNL64UC 7.22 | affected |
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform | KRNL64UC 7.22EXT | affected |
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform | KRNL64UC 7.53 | affected |
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform | KERNEL 7.22 | affected |
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform | KERNEL 7.53 | affected |
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform | KERNEL 7.77 | affected |
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform | KERNEL 7.81 | affected |
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform | KERNEL 7.85 | affected |
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform | KERNEL 7.89 | affected |
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform | KERNEL 7.54 | affected |
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform | KERNEL 7.92 | affected |
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform | KERNEL 7.93 | affected |
Weaknesses
- CWE-306: CWE-306: Missing Authentication for Critical Function
ADP Enrichment
CVE Program Container
Additional References
- https://me.sap.com/notes/3318850
- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://me.sap.com/notes/3318850
- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.