Request a Demo
Rewterz
Rewterz Threat Alert – North Korea Linked Konni APT Group – Active IOCs
November 15, 2023
Rewterz
Rewterz Threat Alert – Fashion Industry Professionals Targeted by Ducktail Malware’s Newest Campaign – Active IOCs
November 15, 2023

Rewterz Threat Advisory – Multiple SAP Products Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2023-31403 CVSS: 9.6

SAP Business One could allow a remote attacker to bypass security restrictions, caused by not perform proper authentication and authorization checks for SMB shared folder. By sending a specially crafted request, an attacker could exploit this vulnerability to read and write to the SMB shared folder.

CVE-2023-42480 CVSS: 5.3

SAP NetWeaver AS Java could allow a remote attacker to obtain sensitive information, caused by a flaw in the login function. By utilize brute force attack techniques, an attacker could exploit this vulnerability to obtain user ids information, and use this information to launch further attacks against the affected system.

CVE-2023-41366 CVSS: 5.3

SAP NetWeaver AS ABAP and ABAP Platform could allow a remote attacker to obtain sensitive information, caused by improper access control. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

Impact

  • Security Bypass
  • Information Disclosure

Indicators Of Compromise

CVE

  • CVE-2023-31403
  • CVE-2023-42480
  • CVE-2023-41366

Affected Vendors

SAP

Affected Products

  • SAP Business One 10.0
  • SAP NetWeaver AS Java 7.50
  • SAP NetWeaver AS ABAP KERNEL 7.22
  • SAP NetWeaver AS ABAP KERNEL 7.53
  • SAP NetWeaver AS ABAP KERNEL 7.77
  • SAP NetWeaver AS ABAP Platform KERNEL 7.22
  • SAP NetWeaver AS ABAP Platform KERNEL 7.77
  • SAP NetWeaver AS ABAP KERNEL 7.85
  • SAP NetWeaver AS ABAP Platform KERNEL 7.85
  • SAP NetWeaver AS ABAP KERNEL 7.89
  • SAP NetWeaver AS ABAP KERNEL 7.54
  • SAP NetWeaver AS ABAP KERNEL 7.92
  • SAP NetWeaver AS ABAP KERNEL 7.93
  • SAP NetWeaver AS ABAP Platform KERNEL 7.53
  • SAP NetWeaver AS ABAP Platform KERNEL 7.89
  • SAP NetWeaver AS ABAP Platform KERNEL 7.54
  • SAP NetWeaver AS ABAP Platform KERNEL 7.92
  • SAP NetWeaver AS ABAP Platform KERNEL 7.93
  • SAP NetWeaver AS ABAP KERNEL 7.91
  • SAP NetWeaver AS ABAP KERNEL 7.94
  • SAP NetWeaver AS ABAP KERNEL64UC 7.22EXT
  • SAP NetWeaver AS ABAP KERNEL64UC 7.53
  • SAP NetWeaver AS ABAP KERNEL64UC 7.22
  • SAP NetWeaver AS ABAP KERNEL64NUC 7.22
  • SAP NetWeaver AS ABAP KERNEL64NUC 7.22EXT
  • SAP NetWeaver AS ABAP Platform KERNEL 7.91
  • SAP NetWeaver AS ABAP Platform KERNEL 7.94
  • SAP NetWeaver AS ABAP Platform KERNEL64UC 7.22
  • SAP NetWeaver AS ABAP Platform KERNEL64UC 7.22EXT
  • SAP NetWeaver AS ABAP Platform KERNEL64UC 7.53
  • SAP NetWeaver AS ABAP Platform KERNEL64NUC 7.22
  • SAP NetWeaver AS ABAP Platform KERNEL64NUC 7.22EXT

Remediation

Refer to SAP Security Advisory for patch information, available from the SAP Web site. Login required.

CVE-2023-31403

CVE-2023-42480

CVE-2023-41366