CVE-2023-30744 HIGH

CVE-2023-30744: Improper access control during application start-up in SAP AS NetWeaver JAVA.

Vendor Sap_Se

Product SAP AS NetWeaver JAVA

Weakness CWE-306 · Missing auth

Published May 9, 2023

Last update January 28, 2025

View on NVD All CVEs

CVSS base score

8.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

What the vulnerability does

Description

In SAP AS NetWeaver JAVA - versions SERVERCORE 7.50, J2EE-FRMW 7.50, CORE-TOOLS 7.50, an unauthenticated attacker can attach to an open interface and make use of an open naming and directory API to instantiate an object which has methods which can be called without further authorization and authentication. A subsequent call to one of these methods can read or change the state of existing services without any effect on availability.

Key dates

Disclosure timeline

May 9, 2023 CVE published

January 28, 2025 Record updated

Identifiers

CVE CVE-2023-30744

CWE CWE-306

CVSS 8.2 / HIGH

Affected versions

Vendor Sap_Se

Product SAP AS NetWeaver JAVA

Affected SERVERCORE 7.50

Vendor Sap_Se

Product SAP AS NetWeaver JAVA

Affected J2EE-FRMW 7.50

Vendor Sap_Se

Product SAP AS NetWeaver JAVA

Affected CORE-TOOLS 7.50