CVE-2023-37491

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-37491
The ACL (Access Control List) of SAP Message Server - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, RNL64UC 7.22, RNL64UC 7.22EXT, RNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22EXT, can be bypassed in certain conditions, which may enable an authenticated malicious user to enter the network of the SAP systems served by the attacked SAP Message server. This may lead to unauthorized read and write of data as well as rendering the system unavailable.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://me.sap.com/notes/3344295 Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sap:message_server:kernel_7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:message_server:kernel_7.53:*:*:*:*:*:*:*
cpe:2.3:a:sap:message_server:kernel_7.54:*:*:*:*:*:*:*
cpe:2.3:a:sap:message_server:kernel_7.77:*:*:*:*:*:*:*
cpe:2.3:a:sap:message_server:krnl64nuc_7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:message_server:krnl64nuc_7.22ex:*:*:*:*:*:*:*
cpe:2.3:a:sap:message_server:rnl64uc_7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:message_server:rnl64uc_7.22ext:*:*:*:*:*:*:*
cpe:2.3:a:sap:message_server:rnl64uc_7.53:*:*:*:*:*:*:*
History

09 Aug 2023, 18:20

Type Values Removed Values Added
References (MISC) https://me.sap.com/notes/3344295 - (MISC) https://me.sap.com/notes/3344295 - Permissions Required
References (MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - (MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory
First Time Sap message Server
Sap
CPE cpe:2.3:a:sap:message_server:kernel_7.77:*:*:*:*:*:*:*
cpe:2.3:a:sap:message_server:kernel_7.54:*:*:*:*:*:*:*
cpe:2.3:a:sap:message_server:kernel_7.53:*:*:*:*:*:*:*
cpe:2.3:a:sap:message_server:krnl64nuc_7.22ex:*:*:*:*:*:*:*
cpe:2.3:a:sap:message_server:rnl64uc_7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:message_server:rnl64uc_7.53:*:*:*:*:*:*:*
cpe:2.3:a:sap:message_server:rnl64uc_7.22ext:*:*:*:*:*:*:*
cpe:2.3:a:sap:message_server:kernel_7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:message_server:krnl64nuc_7.22:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8

08 Aug 2023, 01:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-08-08 01:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-37491

Mitre link : CVE-2023-37491

CVE.ORG link : CVE-2023-37491

JSON object : View

Products Affected

sap

  • message_server
CWE
CWE-285

Improper Authorization