Missing Authentication for Critical Function in SAP NetWeaver Enterprise Portal

#VU75129 Missing Authentication for Critical Function in SAP NetWeaver Enterprise Portal

Published: 2023-04-14

Vulnerability identifier: #VU75129

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-28761

CWE-ID: CWE-306

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SAP NetWeaver Enterprise Portal
Web applications / CRM systems

Vendor: SAP

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the API. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SAP NetWeaver Enterprise Portal: 7.50

External links
http://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
http://launchpad.support.sap.com/#/notes/3289994

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper access control in SAP NetWeaver Enterprise Portal