CVE-2023-27895 MEDIUM

CVE-2023-27895: Information Disclosure vulnerability in SAP Authenticator for Android

Vendor Sap
Product Authenticator for Android
Weakness CWE-267
Published March 14, 2023
Last update February 27, 2025

CVSS base score

6.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

SAP Authenticator for Android - version 1.3.0, allows the screen to be captured, if an authorized attacker installs a malicious app on the mobile device. The attacker could extract the currently views of the OTP and the secret OTP alphanumeric token during the token setup. On successful exploitation, an attacker can read some sensitive information but cannot modify and delete the data.

Key dates

02Disclosure timeline

March 14, 2023 CVE published
February 27, 2025 Record updated