CVE-2023-0016

SAP BPC MS 10.0 - version 810, allows an unauthorized attacker to execute crafted database queries. The exploitation of this issue could lead to SQL injection vulnerability and could allow an attacker to access, modify, and/or delete data from the backend database.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://launchpad.support.sap.com/#/notes/3275391	Permissions Required Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory
https://launchpad.support.sap.com/#/notes/3275391	Permissions Required Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:business_planning_and_consolidation:800:::::microsoft::
	cpe:2.3:a:sap:business_planning_and_consolidation:810:::::microsoft::

History

21 Nov 2024, 07:36

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~8.8~~	v2 : unknown v3 : 9.9
Summary		(es) SAP BPC MS 10.0 - versión 810, permite a un atacante no autorizado ejecutar consultas de bases de datos manipuladas. La explotación de este problema podría conducir a una vulnerabilidad de inyección SQL y podría permitir a un atacante acceder, modificar y/o eliminar datos de la base de datos backend.
References	~~() https://launchpad.support.sap.com/#/notes/3275391 - Permissions Required, Vendor Advisory~~	() https://launchpad.support.sap.com/#/notes/3275391 - Permissions Required, Vendor Advisory
References	~~() https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory~~	() https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory

Information

Published : 2023-01-10 04:15

Updated : 2024-11-21 07:36

NVD link : CVE-2023-0016

Mitre link : CVE-2023-0016

CVE.ORG link : CVE-2023-0016

JSON object : View

Products Affected

sap

business_planning_and_consolidation

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2023-0016", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2023-01-10T04:15:09.797", "references": [{"url": "https://launchpad.support.sap.com/#/notes/3275391", "tags": ["Permissions Required", "Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://launchpad.support.sap.com/#/notes/3275391", "tags": ["Permissions Required", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "SAP BPC MS 10.0 - version 810, allows an unauthorized attacker to execute crafted database queries. The exploitation of this issue could lead to SQL injection vulnerability and could allow an attacker to access, modify, and/or delete data from the backend database."}, {"lang": "es", "value": "SAP BPC MS 10.0 - versi\u00f3n 810, permite a un atacante no autorizado ejecutar consultas de bases de datos manipuladas. La explotaci\u00f3n de este problema podr\u00eda conducir a una vulnerabilidad de inyecci\u00f3n SQL y podr\u00eda permitir a un atacante acceder, modificar y/o eliminar datos de la base de datos backend."}], "lastModified": "2024-11-21T07:36:23.980", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:business_planning_and_consolidation:800:*:*:*:*:microsoft:*:*", "vulnerable": true, "matchCriteriaId": "6C81EEA1-659E-4080-84E6-8F61937F95B9"}, {"criteria": "cpe:2.3:a:sap:business_planning_and_consolidation:810:*:*:*:*:microsoft:*:*", "vulnerable": true, "matchCriteriaId": "AAB2F486-AF82-4469-ACC5-9AC62E8449E0"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}