critical
9.8
CWE
862 863
Advisory Published
Updated

CVE-2023-40309: Missing Authorization check in SAP CommonCryptoLib

First published: Tue Sep 12 2023(Updated: )

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.

Credit: cna@sap.com cna@sap.com

Affected SoftwareAffected VersionHow to fix
SAP CommonCryptoLib=8.0.0
SAP Content Server=6.50
SAP Content Server=7.53
SAP Content Server=7.54
Sap Extended Application Services And Runtime=1.0
SAP HANA Database=2.0
Sap Host Agent=722
SAP NetWeaver Application Server ABAP=7.22ext
SAP NetWeaver Application Server ABAP=kernel_7.22
SAP NetWeaver Application Server ABAP=kernel_7.53
SAP NetWeaver Application Server ABAP=kernel_7.54
SAP NetWeaver Application Server ABAP=kernel_7.77
SAP NetWeaver Application Server ABAP=kernel_7.85
SAP NetWeaver Application Server ABAP=kernel_7.89
SAP NetWeaver Application Server ABAP=kernel_7.91
SAP NetWeaver Application Server ABAP=kernel_7.92
SAP NetWeaver Application Server ABAP=kernel_7.93
SAP NetWeaver Application Server ABAP=kernel_8.04
SAP NetWeaver Application Server ABAP=kernel64nuc_7.22
SAP NetWeaver Application Server ABAP=kernel64nuc_7.22ext
SAP NetWeaver Application Server ABAP=kernel64uc_7.22
SAP NetWeaver Application Server ABAP=kernel64uc_7.22ext
SAP NetWeaver Application Server ABAP=kernel64uc_7.53
SAP NetWeaver Application Server ABAP=kernel64uc_8.04
SAP NetWeaver Application Server Java=kernel_7.22
SAP NetWeaver Application Server Java=kernel_7.53
SAP NetWeaver Application Server Java=kernel_7.54
SAP NetWeaver Application Server Java=kernel_7.77
SAP NetWeaver Application Server Java=kernel_7.85
SAP NetWeaver Application Server Java=kernel_7.89
SAP NetWeaver Application Server Java=kernel_7.91
SAP NetWeaver Application Server Java=kernel_7.92
SAP NetWeaver Application Server Java=kernel_7.93
SAP NetWeaver Application Server Java=kernel_8.04
SAP NetWeaver Application Server Java=kernel64nuc_7.22
SAP NetWeaver Application Server Java=kernel64nuc_7.22ext
SAP NetWeaver Application Server Java=kernel64uc_7.22
SAP NetWeaver Application Server Java=kernel64uc_7.22ext
SAP NetWeaver Application Server Java=kernel64uc_7.53
SAP NetWeaver Application Server Java=kernel64uc_8.04
Sap Sapssoext=17.0
SAP Web Dispatcher=7.22ext
SAP Web Dispatcher=7.53
SAP Web Dispatcher=7.54
SAP Web Dispatcher=7.77
SAP Web Dispatcher=7.85
SAP Web Dispatcher=7.89

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the impact of CVE-2023-40309?

    The vulnerability in SAP CommonCryptoLib allows an attacker with authenticated access to escalate their privileges, potentially leading to unauthorized access and abuse of functionality.

  • Which software versions are affected by CVE-2023-40309?

    SAP CommonCryptoLib version 8.0.0, Sap Content Server 6.50, Sap Content Server 7.53, Sap Content Server 7.54, Sap Extended Application Services And Runtime 1.0, Sap Hana Database 2.0, SAP Host Agent 722, SAP NetWeaver Application Server ABAP versions 7.22ext, kernel_7.22, kernel_7.53, kernel_7.54, kernel_7.77, kernel_7.85, kernel_7.89, kernel_7.91, kernel_7.92, kernel_7.93, kernel_8.04, kernel64nuc_7.22, kernel64nuc_7.22ext, kernel64uc_7.22, kernel64uc_7.22ext, kernel64uc_7.53, kernel64uc_8.04, SAP NetWeaver Application Server Java versions kernel_7.22, kernel_7.53, kernel_7.54, kernel_7.77, kernel_7.85, kernel_7.89, kernel_7.91, kernel_7.92, kernel_7.93, kernel_8.04, kernel64nuc_7.22, kernel64nuc_7.22ext, kernel64uc_7.22, kernel64uc_7.22ext, kernel64uc_7.53, kernel64uc_8.04, Sap Sapssoext 17.0, SAP Web Dispatcher versions 7.22ext, 7.53, 7.54, 7.77, 7.85, 7.89.

  • How severe is CVE-2023-40309?

    CVE-2023-40309 has a severity rating of 9.8, which is considered critical.

  • How can I mitigate the vulnerability in SAP CommonCryptoLib (CVE-2023-40309)?

    Apply the necessary security patches provided by SAP to fix the vulnerability in SAP CommonCryptoLib.

  • Where can I find more information about CVE-2023-40309?

    You can find more information about CVE-2023-40309 in SAP Note 3340576 and the official SAP document provided.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203