CVE-2023-40309 – Missing Authorization check in SAP CommonCryptoLib
https://notcve.org/view.php?id=CVE-2023-40309
SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data. SAP CommonCryptoLib no realiza las comprobaciones de autenticación necesarias, lo que puede dar como resultado comprobaciones de autorización faltantes o incorrectas para un usuario autenticado, lo que resulta en una escalada de privilegios. Según la aplicación y el nivel de privilegios adquiridos, un atacante podría abusar de la funcionalidad restringida a un grupo de usuarios concreto, así como leer, modificar o eliminar datos restringidos. • https://me.sap.com/notes/3340576 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVE-2023-40624 – Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering)
https://notcve.org/view.php?id=CVE-2023-40624
SAP NetWeaver AS ABAP (applications based on Unified Rendering) - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, allows an attacker to inject JavaScript code that can be executed in the web-application. An attacker could thereby control the behavior of this web-application. SAP NetWeaver AS ABAP (aplicaciones basadas en renderizado unificado): versiones SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, permite a un atacante inyectar código JavaScript que se puede ejecutar en la aplicación web . De este modo, un atacante podría controlar el comportamiento de esta aplicación web. • https://me.sap.com/notes/3323163 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-40308 – Memory Corruption vulnerability in SAP CommonCryptoLib
https://notcve.org/view.php?id=CVE-2023-40308
SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component to crash making it unavailable. There is no ability to view or modify any information. SAP CommonCryptoLib permite que un atacante no autenticado cree una solicitud que, cuando se envía a un puerto abierto, provoca un error de corrupción de memoria en una librería, lo que a su vez provoca que el componente de target falle y deje de estar disponible. No hay posibilidad de ver o modificar ninguna información. • https://me.sap.com/notes/3327896 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-476: NULL Pointer Dereference CWE-787: Out-of-bounds Write •
CVE-2023-37492 – Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-37492
SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 793, SAP_BASIS 804, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read sensitive information which can be used in a subsequent serious attack. • https://me.sap.com/notes/3348000 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVE-2023-35874 – Improper authentication vulnerability in SAP NetWeaver AS ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-35874
SAP NetWeaver Application Server ABAP and ABAP Platform - version KRNL64NUC, 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL, 7.53, KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.92, KERNEL 7.93, under some conditions, performs improper authentication checks for functionalities that require user identity. An attacker can perform malicious actions over the network, extending the scope of impact, causing a limited impact on confidentiality, integrity and availability. • https://me.sap.com/notes/3318850 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •