Missing Authorization in SAP NetWeaver AS ABAP

#VU79277 Missing Authorization in SAP NetWeaver AS ABAP

Published: 2023-08-09

Vulnerability identifier: #VU79277

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-37492

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SAP NetWeaver AS ABAP
Server applications / Application servers

Vendor: SAP

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to missing authorization checks. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SAP NetWeaver AS ABAP: 700 - 804

External links
http://me.sap.com/notes/3348000
http://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Missing authorization in SAP NetWeaver AS ABAP