Improper access control during application start-up in SAP AS NetWeaver JAVA.
CVE-2023-30744

8.2HIGH

Key Information:

Vendor: SAP
Status: SAP As Netweaver Java
Vendor: CVE Published:; 9 May 2023

What is CVE-2023-30744?

In SAP AS NetWeaver JAVA versions SERVERCORE 7.50, J2EE-FRMW 7.50, and CORE-TOOLS 7.50, a vulnerability exists that allows an unauthenticated attacker to exploit an open interface. The attacker can leverage an open naming and directory API to instantiate objects that expose callable methods without requiring further authorization or authentication. This flaw could enable attackers to read or alter the state of existing services, which poses significant risks to the integrity and confidentiality of data while maintaining service availability.

Affected Version(s)

SAP AS NetWeaver JAVA SERVERCORE 7.50

SAP AS NetWeaver JAVA J2EE-FRMW 7.50

SAP AS NetWeaver JAVA CORE-TOOLS 7.50

References

https://launchpad.support.sap.com/#/notes/3317453

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 9, 2023
Vulnerability Reserved
Apr 14, 2023