CVE-2023-0014

SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://launchpad.support.sap.com/#/notes/3089413	Permissions Required Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory
https://launchpad.support.sap.com/#/notes/3089413	Permissions Required Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:netweaver_application_server_abap:700::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:701::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:702::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:710::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:711::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:730::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:731::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:740::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:750::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:751::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:752::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:753::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:754::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:755::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:756::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:757::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.53:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.77:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.81:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.85:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.89:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_krnl64nuc:7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_krnl64nuc:7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_krnl64uc:7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_krnl64uc:7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_krnl64uc:7.53:::::::*

History

21 Nov 2024, 07:36

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~9.8~~	v2 : unknown v3 : 9.0
Summary		(es) SAP Netweaver ABAP Server y ABAP Platform - Versiones SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, Kernel 7.22, 7.53, 7.77, 7.81 , 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, crea información sobre la identidad del sistema en un formato ambiguo. Esto podría generar una vulnerabilidad de captura-reproducción y podría ser aprovechado por usuarios malintencionados para obtener acceso ilegítimo al sistema.
References	~~() https://launchpad.support.sap.com/#/notes/3089413 - Permissions Required, Vendor Advisory~~	() https://launchpad.support.sap.com/#/notes/3089413 - Permissions Required, Vendor Advisory
References	~~() https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory~~	() https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory

Information

Published : 2023-01-10 04:15

Updated : 2024-11-21 07:36

NVD link : CVE-2023-0014

Mitre link : CVE-2023-0014

CVE.ORG link : CVE-2023-0014

JSON object : View

Products Affected

sap

netweaver_application_server_abap
netweaver_application_server_abap_krnl64uc
netweaver_application_server_abap_krnl64nuc
netweaver_application_server_abap_kernel

CWE

CWE-294

Authentication Bypass by Capture-replay

{"id": "CVE-2023-0014", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2023-01-10T04:15:09.550", "references": [{"url": "https://launchpad.support.sap.com/#/notes/3089413", "tags": ["Permissions Required", "Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://launchpad.support.sap.com/#/notes/3089413", "tags": ["Permissions Required", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-294"}]}], "descriptions": [{"lang": "en", "value": "SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system.\n\n\n"}, {"lang": "es", "value": "SAP Netweaver ABAP Server y ABAP Platform - Versiones SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, Kernel 7.22, 7.53, 7.77, 7.81 , 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, crea informaci\u00f3n sobre la identidad del sistema en un formato ambiguo. Esto podr\u00eda generar una vulnerabilidad de captura-reproducci\u00f3n y podr\u00eda ser aprovechado por usuarios malintencionados para obtener acceso ileg\u00edtimo al sistema."}], "lastModified": "2024-11-21T07:36:23.730", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:sap_basis:*:*:*", "vulnerable": true, "matchCriteriaId": "6F048ED9-2DDF-4EB9-8571-73832AFABF6A"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:sap_basis:*:*:*", "vulnerable": true, "matchCriteriaId": "C37DC475-6B9A-493C-9A6F-28CDD65D2A5B"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:sap_basis:*:*:*", "vulnerable": true, "matchCriteriaId": "2BD9FE51-F76C-439A-A3C0-5279EC1059F7"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:sap_basis:*:*:*", "vulnerable": true, "matchCriteriaId": "9A8726A6-2AC2-4282-951F-A71AD03572F0"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:sap_basis:*:*:*", "vulnerable": true, "matchCriteriaId": "6E783E21-1F2A-44A2-BE1C-770370A6739B"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:sap_basis:*:*:*", "vulnerable": true, "matchCriteriaId": "1E8E6E23-EA96-45D5-BC81-3E5990701AD4"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:sap_basis:*:*:*", "vulnerable": true, "matchCriteriaId": "4EB54432-0E1A-45F2-BEE1-8DC28FAADA9F"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:sap_basis:*:*:*", "vulnerable": true, "matchCriteriaId": "8E96C58C-ED44-487B-A67E-FDAE3C29023A"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:sap_basis:*:*:*", "vulnerable": true, "matchCriteriaId": "A14DF5EB-B8CE-4A47-9959-2F65A5DCEF5F"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:sap_basis:*:*:*", "vulnerable": true, "matchCriteriaId": "3E0CA53D-4335-4872-B527-30802E31B893"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:sap_basis:*:*:*", "vulnerable": true, "matchCriteriaId": "419BA423-0803-4F51-8889-014A521F02CE"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:sap_basis:*:*:*", "vulnerable": true, "matchCriteriaId": "DA20ECDC-8807-462C-A0F0-70DF6F5A119B"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:sap_basis:*:*:*", "vulnerable": true, "matchCriteriaId": "800AAC21-325C-4F16-AE5A-9F89327E5356"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:sap_basis:*:*:*", "vulnerable": true, "matchCriteriaId": "BDC15DB7-A95B-475F-AAA6-60A801F65690"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:sap_basis:*:*:*", "vulnerable": true, "matchCriteriaId": "55A2FECF-A32E-4188-9563-E8BA0E952261"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:sap_basis:*:*:*", "vulnerable": true, "matchCriteriaId": "9CBF2E53-17F0-4BF0-9C38-749C7E611BF4"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.22:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A145BFD2-92C8-46B1-8F72-53F6C37018C2"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.53:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A5F121E-49BF-4F08-8623-79DDE0A37B63"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.77:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BF066A7-91C2-4B36-9A1B-80B1BC8A3E8D"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.81:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A677338F-5955-435C-91FD-CC5C1A387024"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.85:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A13006BE-0874-48D6-B8F6-47A117A2AE29"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.89:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "65C7E312-AC74-4997-995F-74AB2E53B24B"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap_krnl64nuc:7.22:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A4DCE73-B47A-4FDA-A96D-C251891C8E07"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap_krnl64nuc:7.22ext:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9AC795F5-1AE7-4B4C-B1DD-DEF46BB4122F"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap_krnl64uc:7.22:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "14757DC0-6CAC-4082-B726-719098C2216C"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap_krnl64uc:7.22ext:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D24E493-7256-4881-9761-D84918EC1D78"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap_krnl64uc:7.53:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C060979B-38D0-40FD-B1A1-571F5F7C5E8D"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}

9.0 /10