Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

[CVE-2023-41367] Missing Authentication check in SAP NetWeaver AS JAVA

Date of Release: 09/11/2023
Advisory ID: CVE-2023-41367
SAP Note: 3348142
Affected Software: SAP NetWeaver Application Server for Java (AS Java) 
Versions Affected: J2EE ENGINE APPLICATIONS 7.50, specifically:

  • SP024 000000
  • SP025 000000
  • SP026 000005
  • SP027 000003
  • SP028 000003

Vulnerability Summary: A missing authentication check in the webdynpro application of SAP NetWeaver Guided Procedures allows unauthorized users to gain access to the admin view of specific functions anonymously. Under certain circumstances, this vulnerability enables attackers to view users’ email addresses. There is no impact on the integrity or availability of the system.

CVSS Score: 5.3 (Medium)

PoC:

GET /webdynpro/resources/sap.com/caf~eu~gp~mail~cf~ui/com.sap.caf.eu.gp.mail.cf.ui.BMAdmin  HTTP/1.1
Host: SAP-Server:50000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36

Impact: The primary impact of this vulnerability is the unauthorized access to the admin view of certain functions within SAP NetWeaver Guided Procedures. An attacker exploiting this vulnerability can anonymously view users’ email addresses, potentially leading to privacy violations and information leakage. However, there are no impacts on the integrity or availability of the system.

Solution: To address this issue, SAP has fixed the affected functions to prevent direct access to GP applications. Customers are advised to implement the Support Packages and Patches referenced by the corresponding SAP Note to rectify this problem.

The signature of this vulnerability has been added to the RedRays Security Platform.

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.