CVE-2023-27501: Path Traversal
First published: Tue Mar 14 2023(Updated: )
SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files. In this attack, no data can be read but potentially critical OS files can be deleted making the system unavailable, causing significant impact on both availability and integrity
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP NetWeaver Application Server ABAP | =700 | |
| SAP NetWeaver Application Server ABAP | =701 | |
| SAP NetWeaver Application Server ABAP | =702 | |
| SAP NetWeaver Application Server ABAP | =731 | |
| SAP NetWeaver Application Server ABAP | =740 | |
| SAP NetWeaver Application Server ABAP | =750 | |
| SAP NetWeaver Application Server ABAP | =751 | |
| SAP NetWeaver Application Server ABAP | =752 | |
| SAP NetWeaver Application Server ABAP | =753 | |
| SAP NetWeaver Application Server ABAP | =754 | |
| SAP NetWeaver Application Server ABAP | =755 | |
| SAP NetWeaver Application Server ABAP | =756 | |
| SAP NetWeaver Application Server ABAP | =757 | |
| SAP NetWeaver Application Server ABAP | =791 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-27501?
The severity of CVE-2023-27501 is critical.
What versions of SAP NetWeaver AS for ABAP and ABAP Platform are affected by CVE-2023-27501?
Versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791 of SAP NetWeaver AS for ABAP and ABAP Platform are affected by CVE-2023-27501.
What is the vulnerability type of CVE-2023-27501?
CVE-2023-27501 is a directory traversal vulnerability.
How can an attacker exploit CVE-2023-27501?
An attacker can exploit CVE-2023-27501 by exploiting insufficient validation of path information provided by users and exploiting a directory traversal flaw in an available service to delete system files.
Where can I find more information about CVE-2023-27501?
You can find more information about CVE-2023-27501 in the following references: [SAP Note 3294954](https://launchpad.support.sap.com/#/notes/3294954) and [SAP Security Note](https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html).
- collector/nvd-index
- agent/event
- vendor/sap
- canonical/sap netweaver application server abap
- version/sap netweaver application server abap/700
- version/sap netweaver application server abap/701
- version/sap netweaver application server abap/702
- version/sap netweaver application server abap/731
- version/sap netweaver application server abap/740
- version/sap netweaver application server abap/750
- version/sap netweaver application server abap/751
- version/sap netweaver application server abap/752
- version/sap netweaver application server abap/753
- version/sap netweaver application server abap/754
- version/sap netweaver application server abap/755
- version/sap netweaver application server abap/756
- version/sap netweaver application server abap/757
- version/sap netweaver application server abap/791