Improper access control during application start-up in SAP AS NetWeaver JAVA.
CVE-2023-30744

9.1CRITICAL

Key Information:

Vendor: SAP
Status: SAP AS NetWeaver JAVA
Vendor: CVE Published:; 9 May 2023

Summary

In SAP AS NetWeaver JAVA versions SERVERCORE 7.50, J2EE-FRMW 7.50, and CORE-TOOLS 7.50, a vulnerability exists that allows an unauthenticated attacker to exploit an open interface. The attacker can leverage an open naming and directory API to instantiate objects that expose callable methods without requiring further authorization or authentication. This flaw could enable attackers to read or alter the state of existing services, which poses significant risks to the integrity and confidentiality of data while maintaining service availability.

Affected Version(s)

SAP AS NetWeaver JAVA SERVERCORE 7.50

SAP AS NetWeaver JAVA J2EE-FRMW 7.50

SAP AS NetWeaver JAVA CORE-TOOLS 7.50

References

https://launchpad.support.sap.com/#/notes/3317453

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 9, 2023
Vulnerability Reserved
Apr 14, 2023