CVE-2023-30744 – Improper access control during application start-up in SAP AS NetWeaver JAVA.
https://notcve.org/view.php?id=CVE-2023-30744
In SAP AS NetWeaver JAVA - versions SERVERCORE 7.50, J2EE-FRMW 7.50, CORE-TOOLS 7.50, an unauthenticated attacker can attach to an open interface and make use of an open naming and directory API to instantiate an object which has methods which can be called without further authorization and authentication. A subsequent call to one of these methods can read or change the state of existing services without any effect on availability. • https://launchpad.support.sap.com/#/notes/3317453 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-306: Missing Authentication for Critical Function •
CVE-2023-28761 – Missing Authentication check in SAP NetWeaver Enterprise Portal
https://notcve.org/view.php?id=CVE-2023-28761
In SAP NetWeaver Enterprise Portal - version 7.50, an unauthenticated attacker can attach to an open interface and make use of an open API to access a service which will enable them to access or modify server settings and data, leading to limited impact on confidentiality and integrity. • https://launchpad.support.sap.com/#/notes/3289994 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-306: Missing Authentication for Critical Function •
CVE-2023-27268 – Improper Access Control in SAP NetWeaver AS Java (Object Analyzing Service)
https://notcve.org/view.php?id=CVE-2023-27268
SAP NetWeaver AS Java (Object Analyzing Service) - version 7.50, does not perform necessary authorization checks, allowing an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to access but not modify server settings and data with no effect on availability., resulting in escalation of privileges. • https://launchpad.support.sap.com/#/notes/3288480 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-284: Improper Access Control •
CVE-2023-26461 – XML External Entity (XXE) vulnerability in SAP NetWeaver (SAP Enterprise Portal)
https://notcve.org/view.php?id=CVE-2023-26461
SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an authenticated attacker with sufficient privileges to access the XML parser which can submit a crafted XML file which when parsed will enable them to access but not modify sensitive files and data. It allows the attacker to view sensitive data which is owned by certain privileges. • https://launchpad.support.sap.com/#/notes/3284550 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2023-26460 – Improper Access Control in SAP NetWeaver AS Java (Cache Management Service)
https://notcve.org/view.php?id=CVE-2023-26460
Cache Management Service in SAP NetWeaver Application Server for Java - version 7.50, does not perform any authentication checks for functionalities that require user identity • https://launchpad.support.sap.com/#/notes/3288096 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-284: Improper Access Control •