Vulnerability Description
SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sap | Commoncryptolib | 8.0.0 |
| Sap | Content Server | 6.50 |
| Sap | Extended Application Services And Runtime | 1.0 |
| Sap | Hana Database | 2.0 |
| Sap | Host Agent | 722 |
| Sap | Netweaver Application Server Abap | 7.22ext |
| Sap | Netweaver Application Server Java | kernel_7.22 |
| Sap | Sapssoext | 17.0 |
| Sap | Web Dispatcher | 7.22ext |
Related Weaknesses (CWE)
References
- https://me.sap.com/notes/3340576Permissions RequiredVendor Advisory
- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlVendor Advisory
- https://me.sap.com/notes/3340576Permissions RequiredVendor Advisory
- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlVendor Advisory
FAQ
What is CVE-2023-40309?
CVE-2023-40309 is a vulnerability with a CVSS score of 9.8 (CRITICAL). SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depend...
How severe is CVE-2023-40309?
CVE-2023-40309 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-40309?
Check the references section above for vendor advisories and patch information. Affected products include: Sap Commoncryptolib, Sap Content Server, Sap Extended Application Services And Runtime, Sap Hana Database, Sap Host Agent.