Main Vulnerability Database Vulnerabilities #VU75122

Input validation error in SAP Diagnostics Agent - CVE-2023-27497

Published: April 14, 2023

Vulnerability identifier: #VU75122

CSH Severity: Critical

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red

CVE-ID: CVE-2023-27497

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
SAP Diagnostics Agent

Software vendor:
SAP

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input in the EventLogServiceCollector. A remote attacker can pass specially crafted input to the application and execute malicious scripts on all connected Diagnostics Agents running on Windows.

Remediation

Install updates from vendor's website.

External links

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
https://launchpad.support.sap.com/#/notes/3305369

Input validation error in SAP Diagnostics Agent - CVE-2023-27497

Description

Remediation

External links

Please verify you're human