CVE-2023-33992

The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sap:business_warehouse:730:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_warehouse:731:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_warehouse:740:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_warehouse:750:*:*:*:*:*:*:*
cpe:2.3:a:sap:bw\/4hana:100:*:*:*:*:*:*:*
cpe:2.3:a:sap:bw\/4hana:200:*:*:*:*:*:*:*
cpe:2.3:a:sap:bw\/4hana:300:*:*:*:*:*:*:*

History

19 Jul 2023, 13:24

Type Values Removed Values Added
CPE cpe:2.3:a:sap:business_warehouse:731:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_warehouse:730:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_warehouse:740:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_warehouse:750:*:*:*:*:*:*:*
cpe:2.3:a:sap:bw\/4hana:200:*:*:*:*:*:*:*
cpe:2.3:a:sap:bw\/4hana:300:*:*:*:*:*:*:*
cpe:2.3:a:sap:bw\/4hana:100:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
References (MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - (MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory
References (MISC) https://me.sap.com/notes/3088078 - (MISC) https://me.sap.com/notes/3088078 - Permissions Required

11 Jul 2023, 03:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-11 03:15

Updated : 2024-02-04 23:37


NVD link : CVE-2023-33992

Mitre link : CVE-2023-33992

CVE.ORG link : CVE-2023-33992


JSON object : View

Products Affected

sap

  • bw\/4hana
  • business_warehouse
CWE
CWE-862

Missing Authorization