CVE-2023-41366

Summary

Under certain condition SAP NetWeaver Application Server ABAP - versions KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL 7.94, KERNEL64UC 7.22, KERNEL64UC 7.22EXT, KERNEL64UC 7.53, KERNEL64NUC 7.22, KERNEL64NUC 7.22EXT, allows an unauthenticated attacker to access the unintended data due to the lack of restrictions applied which may lead to low impact in confidentiality and no impact on the integrity and availability of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKERNEL 722affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKERNEL 7.53affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKERNEL 7.77affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKERNEL 7.85affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKERNEL 7.89affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKERNEL 7.54affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKERNEL 7.91affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKERNEL 7.92affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKERNEL 7.93affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKERNEL 7.94affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKERNEL64UC 7.22affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKERNEL64UC 7.22EXTaffected
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKERNEL64UC 7.53affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKERNEL64NUC 7.22affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKERNEL64NUC 7.22EXTaffected

Weaknesses

  • CWE-497: CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References