Skip links

[CVE-2023-41367] Missing Authentication check in SAP NetWeaver AS JAVA

Date of Release: 09/11/2023
Advisory ID: CVE-2023-41367
SAP Note: 3348142
Affected Software: SAP NetWeaver Application Server for Java (AS Java) 
Versions Affected: J2EE ENGINE APPLICATIONS 7.50, specifically:

  • SP024 000000
  • SP025 000000
  • SP026 000005
  • SP027 000003
  • SP028 000003

Vulnerability Summary: A missing authentication check in the webdynpro application of SAP NetWeaver Guided Procedures allows unauthorized users to gain access to the admin view of specific functions anonymously. Under certain circumstances, this vulnerability enables attackers to view users’ email addresses. There is no impact on the integrity or availability of the system.

CVSS Score: 5.3 (Medium)

PoC:

GET /webdynpro/resources/sap.com/caf~eu~gp~mail~cf~ui/com.sap.caf.eu.gp.mail.cf.ui.BMAdmin  HTTP/1.1
Host: SAP-Server:50000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36

Impact: The primary impact of this vulnerability is the unauthorized access to the admin view of certain functions within SAP NetWeaver Guided Procedures. An attacker exploiting this vulnerability can anonymously view users’ email addresses, potentially leading to privacy violations and information leakage. However, there are no impacts on the integrity or availability of the system.

Solution: To address this issue, SAP has fixed the affected functions to prevent direct access to GP applications. Customers are advised to implement the Support Packages and Patches referenced by the corresponding SAP Note to rectify this problem.

The signature of this vulnerability has been added to the RedRays Security Platform.

How to detect over 4100 vulnerabilities in SAP Systems?

More to explorer

Initiating SAP Penetration Testing

►   Pentest, short for penetration testing, refers to a set of processes that simulate an attacker’s actions to identify security vulnerabilities. Companies

SAP Security Patch Day RedRays

May 2024 SAP Security Patch Day

Vulnerability: Multiple vulnerabilities in SAP CX Commerce SAP Component: CEC-SCC-PLA-PL CVE ID: CVE-2019-17495 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Category: Program error