Information disclosure in PowerDesigner - CVE-2023-37484

 

Information disclosure in PowerDesigner - CVE-2023-37484

Published: August 9, 2023


Vulnerability identifier: #VU79265
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-37484
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: SAP
Affected software:
PowerDesigner

Detailed vulnerability description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to design error in the authentication mechanism. The application queries all password hashes in the backend database and compares them with the user provided one during login attempt. A local user can access all password hashes from the clients memory.


How to mitigate CVE-2023-37484

Install updates from vendor's website.

Sources