CVE-2023-40309

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://me.sap.com/notes/3340576	Permissions Required Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:commoncryptolib:8.0.0:::::::*
	cpe:2.3:a:sap:content_server:6.50:::::::*
	cpe:2.3:a:sap:content_server:7.53:::::::*
	cpe:2.3:a:sap:content_server:7.54:::::::*
	cpe:2.3:a:sap:extended_application_services_and_runtime:1.0:::::::*
	cpe:2.3:a:sap:hana_database:2.0:::::::*
	cpe:2.3:a:sap:host_agent:722:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.53:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.54:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.77:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.85:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.89:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.91:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.92:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.93:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel_8.04:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.53:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_8.04:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.53:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.54:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.77:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.85:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.89:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.91:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.92:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.93:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel_8.04:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.53:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_8.04:::::::*
	cpe:2.3:a:sap:sapssoext:17.0:::::::*
	cpe:2.3:a:sap:web_dispatcher:7.22ext:::::::*
	cpe:2.3:a:sap:web_dispatcher:7.53:::::::*
	cpe:2.3:a:sap:web_dispatcher:7.54:::::::*
	cpe:2.3:a:sap:web_dispatcher:7.77:::::::*
	cpe:2.3:a:sap:web_dispatcher:7.85:::::::*
	cpe:2.3:a:sap:web_dispatcher:7.89:::::::*

History

15 Sep 2023, 17:05

Type	Values Removed	Values Added
First Time		Sap web Dispatcher Sap Sap netweaver Application Server Java Sap hana Database Sap host Agent Sap netweaver Application Server Abap Sap extended Application Services And Runtime Sap sapssoext Sap content Server Sap commoncryptolib
CPE		cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.89:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.93:::::::* cpe:2.3:a:sap:web_dispatcher:7.89:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22ext:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.53:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:7.22ext:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.85:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22ext:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.53:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.85:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.53:::::::* cpe:2.3:a:sap:content_server:7.54:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_8.04:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.89:::::::* cpe:2.3:a:sap:web_dispatcher:7.77:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_8.04:::::::* cpe:2.3:a:sap:content_server:6.50:::::::* cpe:2.3:a:sap:commoncryptolib:8.0.0:::::::* cpe:2.3:a:sap:web_dispatcher:7.22ext:::::::* cpe:2.3:a:sap:sapssoext:17.0:::::::* cpe:2.3:a:sap:web_dispatcher:7.54:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_8.04:::::::* cpe:2.3:a:sap:web_dispatcher:7.85:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22:::::::* cpe:2.3:a:sap:web_dispatcher:7.53:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.93:::::::* cpe:2.3:a:sap:content_server:7.53:::::::* cpe:2.3:a:sap:extended_application_services_and_runtime:1.0:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22ext:::::::* cpe:2.3:a:sap:hana_database:2.0:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.77:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.22:::::::* cpe:2.3:a:sap:host_agent:722:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.92:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22ext:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.77:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.22:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.54:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.53:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.54:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_8.04:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.92:::::::* cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.91:::::::* cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.91:::::::*
References	~~(MISC) https://me.sap.com/notes/3340576 -~~	(MISC) https://me.sap.com/notes/3340576 - Permissions Required, Vendor Advisory
References	~~(MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html -~~	(MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

12 Sep 2023, 11:52

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-12 03:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-40309

Mitre link : CVE-2023-40309

CVE.ORG link : CVE-2023-40309

JSON object : View

Products Affected

sap

hana_database
content_server
sapssoext
web_dispatcher
host_agent
netweaver_application_server_java
netweaver_application_server_abap
commoncryptolib
extended_application_services_and_runtime

CWE

CWE-862

Missing Authorization

9.8 /10