CVE-2023-40309

Summary

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP CommonCryptoLib8affected
SAP_SESAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premiseKERNEL 7.22affected
SAP_SESAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premiseKERNEL 7.53affected
SAP_SESAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premiseKERNEL 7.54affected
SAP_SESAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premiseKERNEL 7.77affected
SAP_SESAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premiseKERNEL 7.85affected
SAP_SESAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premiseKERNEL 7.89affected
SAP_SESAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premiseKERNEL 7.91affected
SAP_SESAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premiseKERNEL 7.92affected
SAP_SESAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premiseKERNEL 7.93affected
SAP_SESAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premiseKERNEL 8.04affected
SAP_SESAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premiseKERNEL64UC 7.22affected
SAP_SESAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premiseKERNEL64UC 7.22EXTaffected
SAP_SESAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premiseKERNEL64UC 7.53affected
SAP_SESAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premiseKERNEL64UC 8.04affected
SAP_SESAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premiseKERNEL64NUC 7.22affected
SAP_SESAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premiseKERNEL64NUC 7.22EXTaffected
SAP_SESAP Web Dispatcher7.22EXTaffected
SAP_SESAP Web Dispatcher7.53affected
SAP_SESAP Web Dispatcher7.54affected
SAP_SESAP Web Dispatcher7.77affected
SAP_SESAP Web Dispatcher7.85affected
SAP_SESAP Web Dispatcher7.89affected
SAP_SESAP Content Server6.50affected
SAP_SESAP Content Server7.53affected
SAP_SESAP Content Server7.54affected
SAP_SESAP HANA Database2.00affected
SAP_SESAP Host Agent722affected
SAP_SESAP Extended Application Services and Runtime (XSA)SAP_EXTENDED_APP_SERVICES 1affected
SAP_SESAP Extended Application Services and Runtime (XSA)XS_ADVANCED_RUNTIME 1.00affected
SAP_SESAPSSOEXT17affected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References