CVE-2023-36924 MEDIUM

CVE-2023-36924: Log Injection vulnerability in SAP ERP Defense Forces and Public Security

Vendor Sap_Se
Product SAP ERP Defense Forces and Public Security
Weakness CWE-117
Published July 11, 2023
Last update October 23, 2024

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

While using a specific function, SAP ERP Defense Forces and Public Security - versions 600, 603, 604, 605, 616, 617, 618, 802, 803, 804, 805, 806, 807, allows an authenticated attacker with admin privileges to write arbitrary data to the syslog file. On successful exploitation, an attacker could modify all the syslog data causing a complete compromise of integrity of the application.

Key dates

02Disclosure timeline

July 11, 2023 CVE published
October 23, 2024 Record updated