CVE-2023-23857

CRITICAL

SAP NetWeaver AS for Java -7.50 - Info Disclosure

Title source: llm

Description

Due to missing authentication check, SAP NetWeaver AS for Java - version 7.50, allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and services across systems. On a successful exploitation, the attacker can read and modify some sensitive information but can also be used to lock up any element or operation of the system making that it unresponsive or unavailable.

References (2)

Core 2

Core References

Permissions Required

https://launchpad.support.sap.com/#/notes/3252433

Vendor Advisory

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Scores

CVSS v3 9.9

EPSS 0.0044

EPSS Percentile 63.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (1)

sap/netweaver_application_server_for_java 7.50

Published Mar 14, 2023

Tracked Since Feb 18, 2026