CVE-2023-31403

SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder. As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by the installation process leading to considerable impact on confidentiality, integrity and availability.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://me.sap.com/notes/3355658	Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:business_one:10.0:*:*:*:*:*:*:*

History

20 Nov 2023, 19:51

Type	Values Removed	Values Added
First Time		Sap business One Sap
CWE		CWE-863
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.0
CPE		cpe:2.3:a:sap:business_one:10.0:::::::*
References	~~() https://me.sap.com/notes/3355658 -~~	() https://me.sap.com/notes/3355658 - Permissions Required
References	~~() https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html -~~	() https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory

14 Nov 2023, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-14 01:15

Updated : 2023-12-10 15:26

NVD link : CVE-2023-31403

Mitre link : CVE-2023-31403

CVE.ORG link : CVE-2023-31403

JSON object : View

Products Affected

sap

business_one

CWE

CWE-863

Incorrect Authorization

CWE-284

Improper Access Control

{"id": "CVE-2023-31403", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.1}, {"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}]}, "published": "2023-11-14T01:15:07.413", "references": [{"url": "https://me.sap.com/notes/3355658", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder. As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by the installation process leading to considerable impact on confidentiality, integrity and availability.\n\n"}, {"lang": "es", "value": "La instalaci\u00f3n de SAP Business One versi\u00f3n 10.0, no realiza comprobaciones de autenticaci\u00f3n y autorizaci\u00f3n adecuadas para la carpeta compartida SMB. Como resultado, cualquier usuario malintencionado puede leer y escribir en la carpeta compartida de SMB. Adem\u00e1s, los archivos de la carpeta se pueden ejecutar o utilizar en el proceso de instalaci\u00f3n, lo que genera un impacto considerable en la confidencialidad, la integridad y la disponibilidad."}], "lastModified": "2023-11-20T19:51:15.823", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:business_one:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "391F491C-2DE8-44E5-B054-42F188161C8A"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}