CVE-2023-37491 HIGH

CVE-2023-37491: Improper Authorization check vulnerability in SAP Message Server

Vendor Sap_Se
Product SAP Message Server
Weakness CWE-863 · Incorrect authorization
Published August 8, 2023
Last update October 22, 2024
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The ACL (Access Control List) of SAP Message Server - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, RNL64UC 7.22, RNL64UC 7.22EXT, RNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22EXT, can be bypassed in certain conditions, which may enable an authenticated malicious user to enter the network of the SAP systems served by the attacked SAP Message server. This may lead to unauthorized read and write of data as well as rendering the system unavailable.

Key dates

02Disclosure timeline

August 8, 2023 CVE published
October 22, 2024 Record updated