SAP Commerce accepts empty passphrases.
CVE-2023-39439

9.8CRITICAL

Key Information:

Vendor: SAP
Status: SAP Commerce
Vendor: CVE Published:; 8 August 2023

Summary

SAP Commerce Cloud contains a vulnerability that allows users to bypass passphrase security during login. The system may accept an empty passphrase for user ID and passphrase authentication, enabling unauthorized access. This could lead to potential compromises of sensitive data and overall system integrity. Organizations are advised to apply the necessary patches to mitigate this vulnerability and safeguard their systems.

Affected Version(s)

SAP Commerce HY_COM 2105

SAP Commerce HY_COM 2205

SAP Commerce COM_CLOUD 2211

References

https://me.sap.com/notes/3346500

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 8, 2023
Vulnerability Reserved
Aug 1, 2023