CVE-2023-40309

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-40309
SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://me.sap.com/notes/3340576 Permissions Required Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory
https://me.sap.com/notes/3340576 Permissions Required Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sap:commoncryptolib:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:sap:content_server:6.50:*:*:*:*:*:*:*
cpe:2.3:a:sap:content_server:7.53:*:*:*:*:*:*:*
cpe:2.3:a:sap:content_server:7.54:*:*:*:*:*:*:*
cpe:2.3:a:sap:extended_application_services_and_runtime:1.0:*:*:*:*:*:*:*
cpe:2.3:a:sap:hana_database:2.0:*:*:*:*:*:*:*
cpe:2.3:a:sap:host_agent:722:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:7.22ext:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.53:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.54:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.77:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.85:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.89:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.91:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.92:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.93:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_8.04:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22ext:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22ext:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.53:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_8.04:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.53:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.54:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.77:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.85:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.89:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.91:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.92:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.93:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_8.04:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22ext:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22ext:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.53:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_8.04:*:*:*:*:*:*:*
cpe:2.3:a:sap:sapssoext:17.0:*:*:*:*:*:*:*
cpe:2.3:a:sap:web_dispatcher:7.22ext:*:*:*:*:*:*:*
cpe:2.3:a:sap:web_dispatcher:7.53:*:*:*:*:*:*:*
cpe:2.3:a:sap:web_dispatcher:7.54:*:*:*:*:*:*:*
cpe:2.3:a:sap:web_dispatcher:7.77:*:*:*:*:*:*:*
cpe:2.3:a:sap:web_dispatcher:7.85:*:*:*:*:*:*:*
cpe:2.3:a:sap:web_dispatcher:7.89:*:*:*:*:*:*:*
History

21 Nov 2024, 08:19

Type Values Removed Values Added
References () https://me.sap.com/notes/3340576 - Permissions Required, Vendor Advisory () https://me.sap.com/notes/3340576 - Permissions Required, Vendor Advisory
References () https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory () https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory

28 Sep 2024, 22:15

Type Values Removed Values Added
Summary (en) SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data. (en) SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.
CWE CWE-862 CWE-863

15 Sep 2023, 17:05

Type Values Removed Values Added
References (MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - (MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory
References (MISC) https://me.sap.com/notes/3340576 - (MISC) https://me.sap.com/notes/3340576 - Permissions Required, Vendor Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
CPE cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.77:*:*:*:*:*:*:*
cpe:2.3:a:sap:hana_database:2.0:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.91:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_8.04:*:*:*:*:*:*:*
cpe:2.3:a:sap:commoncryptolib:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22ext:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.77:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22ext:*:*:*:*:*:*:*
cpe:2.3:a:sap:web_dispatcher:7.89:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.89:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_8.04:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.54:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.53:*:*:*:*:*:*:*
cpe:2.3:a:sap:web_dispatcher:7.77:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.93:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.53:*:*:*:*:*:*:*
cpe:2.3:a:sap:sapssoext:17.0:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.85:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.92:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.93:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.89:*:*:*:*:*:*:*
cpe:2.3:a:sap:web_dispatcher:7.85:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.54:*:*:*:*:*:*:*
cpe:2.3:a:sap:content_server:6.50:*:*:*:*:*:*:*
cpe:2.3:a:sap:web_dispatcher:7.22ext:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.92:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.53:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:7.22ext:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22ext:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_8.04:*:*:*:*:*:*:*
cpe:2.3:a:sap:content_server:7.54:*:*:*:*:*:*:*
cpe:2.3:a:sap:host_agent:722:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.53:*:*:*:*:*:*:*
cpe:2.3:a:sap:web_dispatcher:7.53:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22ext:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.91:*:*:*:*:*:*:*
cpe:2.3:a:sap:content_server:7.53:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_8.04:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.85:*:*:*:*:*:*:*
cpe:2.3:a:sap:extended_application_services_and_runtime:1.0:*:*:*:*:*:*:*
cpe:2.3:a:sap:web_dispatcher:7.54:*:*:*:*:*:*:*
First Time Sap netweaver Application Server Abap
Sap hana Database
Sap web Dispatcher
Sap sapssoext
Sap
Sap content Server
Sap extended Application Services And Runtime
Sap commoncryptolib
Sap netweaver Application Server Java
Sap host Agent

12 Sep 2023, 11:52

Type Values Removed Values Added
New CVE
Information

Published : 2023-09-12 03:15

Updated : 2024-11-21 08:19

NVD link : CVE-2023-40309

Mitre link : CVE-2023-40309

CVE.ORG link : CVE-2023-40309

JSON object : View

Products Affected

sap

  • content_server
  • hana_database
  • extended_application_services_and_runtime
  • web_dispatcher
  • sapssoext
  • commoncryptolib
  • netweaver_application_server_java
  • netweaver_application_server_abap
  • host_agent
CWE
CWE-863

Incorrect Authorization