CVE-2023-37491

HIGH

SAP Message Server - Incorrect Authorization

Title source: llm

Description

The ACL (Access Control List) of SAP Message Server - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, RNL64UC 7.22, RNL64UC 7.22EXT, RNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22EXT, can be bypassed in certain conditions, which may enable an authenticated malicious user to enter the network of the SAP systems served by the attacked SAP Message server. This may lead to unauthorized read and write of data as well as rendering the system unavailable.

References (2)

Core 2

Core References

Permissions Required

https://me.sap.com/notes/3344295

Vendor Advisory

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Scores

CVSS v3 7.5

EPSS 0.0005

EPSS Percentile 14.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-863

Status published

Products (9)

sap/message_server kernel_7.22

sap/message_server kernel_7.53

sap/message_server kernel_7.54

sap/message_server kernel_7.77

sap/message_server krnl64nuc_7.22

sap/message_server krnl64nuc_7.22ex

sap/message_server rnl64uc_7.22

sap/message_server rnl64uc_7.22ext

sap/message_server rnl64uc_7.53

Published Aug 08, 2023

Tracked Since Feb 18, 2026