CVE-2023-2827 HIGH

CVE-2023-2827: Missing Authentication in SAP Plant Connectivity and Production Connector for SAP Digital

Vendor Sap_Se
Product SAP Plant Connectivity
Weakness CWE-306 · Missing auth
Published June 13, 2023
Last update January 3, 2025

CVSS base score

7.9/10
Attack vector Adjacent
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H

What the vulnerability does

01Description

SAP Plant Connectivity - version 15.5 (PCo) or the Production Connector for SAP Digital Manufacturing - version 1.0, do not validate the signature of the JSON Web Token (JWT) in the HTTP request sent from SAP Digital Manufacturing. Therefore, unauthorized callers from the internal network could send service requests to PCo or the Production Connector, which could have an impact on the integrity of the integration with SAP Digital Manufacturing.

Key dates

02Disclosure timeline

June 13, 2023 CVE published
January 3, 2025 Record updated