Description
SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.
References (2)
Core 2
Core References
Permissions Required, Vendor Advisory
https://me.sap.com/notes/3340576
Scores
CVSS v3
9.8
EPSS
0.0016
EPSS Percentile
36.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-863
Status
published
Products (47)
sap/commoncryptolib
8.0.0
sap/content_server
6.50
sap/content_server
7.53
sap/content_server
7.54
sap/extended_application_services_and_runtime
1.0
sap/hana_database
2.0
sap/host_agent
722
sap/netweaver_application_server_abap
7.22ext
sap/netweaver_application_server_abap
kernel_7.22
sap/netweaver_application_server_abap
kernel_7.53
... and 37 more
Published
Sep 12, 2023
Tracked Since
Feb 18, 2026