CVE-2023-23857

Improper Access Control in SAP NetWeaver AS for Java

CVSS 9.9 CRITICALEPSS 0.5%CWE-287

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.9EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

14 Mar 2023Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Due to missing authentication check, SAP NetWeaver AS for Java - version 7.50, allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and services across systems. On a successful exploitation, the attacker can read and modify some sensitive information but can also be used to lock up any element or operation of the system making that it unresponsive or unavailable.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H

Affected products

SAP · NetWeaver AS for Java

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://launchpad.support.sap.com/#/notes/3252433 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html