CVE-2023-24523

HIGH

SAP Host Agent <7.22 - Privilege Escalation

Title source: llm

Description

An attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent (Start Service) - versions 7.21, 7.22, can submit a crafted ConfigureOutsideDiscovery request with an operating system command which will be executed with administrator privileges. The OS command can read or modify any user or system data and can make the system unavailable.

References (2)

Core 2

Core References

Permissions Required, Vendor Advisory

https://launchpad.support.sap.com/#/notes/3285757

Vendor Advisory

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Scores

CVSS v3 8.8

EPSS 0.0019

EPSS Percentile 8.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-668

Status published

Products (2)

sap/host_agent 7.21

sap/host_agent 7.22

Published Feb 14, 2023

Tracked Since Feb 18, 2026