CVE-2023-35874

Summary

SAP NetWeaver Application Server ABAP and ABAP Platform - version KRNL64NUC, 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL, 7.53, KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.92, KERNEL 7.93, under some conditions, performs improper authentication checks for functionalities that require user identity. An attacker can perform malicious actions over the network, extending the scope of impact, causing a limited impact on confidentiality, integrity and availability.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP NetWeaver AS ABAP and ABAP PlatformKRNL64NUC 722affected
SAP_SESAP NetWeaver AS ABAP and ABAP PlatformKRNL64NUC 7.22EXTaffected
SAP_SESAP NetWeaver AS ABAP and ABAP PlatformKRNL64UC 7.22affected
SAP_SESAP NetWeaver AS ABAP and ABAP PlatformKRNL64UC 7.22EXTaffected
SAP_SESAP NetWeaver AS ABAP and ABAP PlatformKRNL64UC 7.53affected
SAP_SESAP NetWeaver AS ABAP and ABAP PlatformKERNEL 7.22affected
SAP_SESAP NetWeaver AS ABAP and ABAP PlatformKERNEL 7.53affected
SAP_SESAP NetWeaver AS ABAP and ABAP PlatformKERNEL 7.77affected
SAP_SESAP NetWeaver AS ABAP and ABAP PlatformKERNEL 7.81affected
SAP_SESAP NetWeaver AS ABAP and ABAP PlatformKERNEL 7.85affected
SAP_SESAP NetWeaver AS ABAP and ABAP PlatformKERNEL 7.89affected
SAP_SESAP NetWeaver AS ABAP and ABAP PlatformKERNEL 7.54affected
SAP_SESAP NetWeaver AS ABAP and ABAP PlatformKERNEL 7.92affected
SAP_SESAP NetWeaver AS ABAP and ABAP PlatformKERNEL 7.93affected

Weaknesses

  • CWE-306: CWE-306: Missing Authentication for Critical Function

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References