CVE-2023-36924

Summary

While using a specific function, SAP ERP Defense Forces and Public Security - versions 600, 603, 604, 605, 616, 617, 618, 802, 803, 804, 805, 806, 807, allows an authenticated attacker with admin privileges to write arbitrary data to the syslog file. On successful exploitation, an attacker could modify all the syslog data causing a complete compromise of integrity of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP ERP Defense Forces and Public Security600affected
SAP_SESAP ERP Defense Forces and Public Security603affected
SAP_SESAP ERP Defense Forces and Public Security604affected
SAP_SESAP ERP Defense Forces and Public Security605affected
SAP_SESAP ERP Defense Forces and Public Security616affected
SAP_SESAP ERP Defense Forces and Public Security617affected
SAP_SESAP ERP Defense Forces and Public Security618affected
SAP_SESAP ERP Defense Forces and Public Security802affected
SAP_SESAP ERP Defense Forces and Public Security803affected
SAP_SESAP ERP Defense Forces and Public Security804affected
SAP_SESAP ERP Defense Forces and Public Security805affected
SAP_SESAP ERP Defense Forces and Public Security806affected
SAP_SESAP ERP Defense Forces and Public Security807affected

Weaknesses

  • CWE-117: CWE-117: Improper Output Neutralization for Logs

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References