Sign-up

ID

VAR-202307-0926


CVE

CVE-2023-35872


TITLE

SAP  of  SAP NetWeaver Process Integration  Vulnerability regarding lack of authentication for critical features in

Trust: 0.8

sources: JVNDB: JVNDB-2023-021770

DESCRIPTION

The Message Display Tool (MDT) of SAP NetWeaver Process Integration - version SAP_XIAF 7.50, does not perform authentication checks for certain functionalities that require user identity. An unauthenticated user might access technical data about the product status and its configuration. The vulnerability does not allow access to sensitive information or administrative functionalities. On successful exploitation an attacker can cause limited impact on confidentiality and availability of the application. SAP of SAP NetWeaver Process Integration There is a vulnerability in the lack of authentication for critical features.Information is obtained and service operation is interrupted (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2023-35872 // JVNDB: JVNDB-2023-021770 // VULMON: CVE-2023-35872

AFFECTED PRODUCTS

vendor:sapmodel:netweaver process integrationscope:eqversion:7.50

Trust: 1.8

vendor:sapmodel:netweaver process integrationscope: - version: -

Trust: 0.8

vendor:sapmodel:netweaver process integrationscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2023-021770 // NVD: CVE-2023-35872

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-35872
value: MEDIUM

Trust: 1.0

cna@sap.com: CVE-2023-35872
value: MEDIUM

Trust: 1.0

NVD: CVE-2023-35872
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202307-691
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2023-35872
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 2.5
version: 3.1

Trust: 2.0

NVD: CVE-2023-35872
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2023-021770 // CNNVD: CNNVD-202307-691 // NVD: CVE-2023-35872 // NVD: CVE-2023-35872

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.0

problemtype:Lack of authentication for critical features (CWE-306) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-021770 // NVD: CVE-2023-35872

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202307-691

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202307-691

PATCH

title:SAP NetWeaver Process Integration Fixes for access control error vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=246820

Trust: 0.6

sources: CNNVD: CNNVD-202307-691

EXTERNAL IDS

db:NVDid:CVE-2023-35872

Trust: 3.3

db:JVNDBid:JVNDB-2023-021770

Trust: 0.8

db:CNNVDid:CNNVD-202307-691

Trust: 0.6

db:VULMONid:CVE-2023-35872

Trust: 0.1

sources: VULMON: CVE-2023-35872 // JVNDB: JVNDB-2023-021770 // CNNVD: CNNVD-202307-691 // NVD: CVE-2023-35872

REFERENCES

url:https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Trust: 2.5

url:https://me.sap.com/notes/3343564

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2023-35872

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2023-35872/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/306.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2023-35872 // JVNDB: JVNDB-2023-021770 // CNNVD: CNNVD-202307-691 // NVD: CVE-2023-35872

SOURCES

db:VULMONid:CVE-2023-35872
db:JVNDBid:JVNDB-2023-021770
db:CNNVDid:CNNVD-202307-691
db:NVDid:CVE-2023-35872

LAST UPDATE DATE

2024-08-14T15:36:53.621000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2023-35872date:2023-07-11T00:00:00
db:JVNDBid:JVNDB-2023-021770date:2024-01-19T08:08:00
db:CNNVDid:CNNVD-202307-691date:2023-07-20T00:00:00
db:NVDid:CVE-2023-35872date:2023-07-19T13:36:59.200

SOURCES RELEASE DATE

db:VULMONid:CVE-2023-35872date:2023-07-11T00:00:00
db:JVNDBid:JVNDB-2023-021770date:2024-01-19T00:00:00
db:CNNVDid:CNNVD-202307-691date:2023-07-11T00:00:00
db:NVDid:CVE-2023-35872date:2023-07-11T03:15:09.930