Missing Authentication for Critical Function in SAP NetWeaver AS JAVA - CVE-2023-30744

 

Missing Authentication for Critical Function in SAP NetWeaver AS JAVA - CVE-2023-30744

Published: March 8, 2024


Vulnerability identifier: #VU87307
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2023-30744
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: SAP
Affected software:
SAP NetWeaver AS JAVA

Detailed vulnerability description

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to excessive data output by the application. A remote attacker can attach to an open interface and make use of an open naming and directory API to instantiate an object which has methods which can be called without further authorization and authentication.


How to mitigate CVE-2023-30744

Install updates from vendor's website.

Sources