Date of Release: 09/11/2023
Advisory ID: CVE-2023-41367
SAP Note: 3348142
Affected Software: SAP NetWeaver Application Server for Java (AS Java)
Versions Affected: J2EE ENGINE APPLICATIONS 7.50, specifically:
- SP024 000000
- SP025 000000
- SP026 000005
- SP027 000003
- SP028 000003
Vulnerability Summary: A missing authentication check in the webdynpro application of SAP NetWeaver Guided Procedures allows unauthorized users to gain access to the admin view of specific functions anonymously. Under certain circumstances, this vulnerability enables attackers to view users’ email addresses. There is no impact on the integrity or availability of the system.
CVSS Score: 5.3 (Medium)
PoC:
GET /webdynpro/resources/sap.com/caf~eu~gp~mail~cf~ui/com.sap.caf.eu.gp.mail.cf.ui.BMAdmin HTTP/1.1
Host: SAP-Server:50000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Impact: The primary impact of this vulnerability is the unauthorized access to the admin view of certain functions within SAP NetWeaver Guided Procedures. An attacker exploiting this vulnerability can anonymously view users’ email addresses, potentially leading to privacy violations and information leakage. However, there are no impacts on the integrity or availability of the system.
Solution: To address this issue, SAP has fixed the affected functions to prevent direct access to GP applications. Customers are advised to implement the Support Packages and Patches referenced by the corresponding SAP Note to rectify this problem.
The signature of this vulnerability has been added to the RedRays Security Platform.