Missing Authorization check in SAP CommonCryptoLib
CVE-2023-40309

9.8CRITICAL

Key Information:

Vendor: SAP
Status: SAP Commoncryptolib; SAP Netweaver As Abap, SAP Netweaver As Java And Abap Platform Of S/4hana On-premise; SAP Web Dispatcher; SAP Content Server
Vendor: CVE Published:; 12 September 2023

What is CVE-2023-40309?

The SAP CommonCryptoLib has a critical vulnerability where it fails to implement essential authentication checks. This oversight can lead to improper or missing authorization verifications for users. As a result, an authenticated attacker may exploit this weakness to escalate their privileges, potentially gaining access to functionalities meant for specific user groups. This could allow the attacker to read, alter, or remove sensitive data that should be restricted.

Affected Version(s)

SAP CommonCryptoLib 8

SAP Content Server 6.50

SAP Content Server 7.53

References

https://me.sap.com/notes/3340576

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 12, 2023
Vulnerability Reserved
Aug 14, 2023