CVE-2023-41367

{"id": "CVE-2023-41367", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2023-09-12T02:15:12.733", "references": [{"url": "https://me.sap.com/notes/3348142", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://me.sap.com/notes/3348142", "tags": ["Permissions Required"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Due to missing authentication check in webdynpro application, an unauthorized user in SAP NetWeaver (Guided Procedures) - version 7.50, can gain access to admin view of specific function anonymously. On successful exploitation of vulnerability under specific circumstances, attacker can view user\u2019s email address. There is no integrity/availability impact.\n\n"}, {"lang": "es", "value": "Debido a la falta de verificaci\u00f3n de autenticaci\u00f3n en la aplicaci\u00f3n webdynpro, un usuario no autorizado en SAP NetWeaver ((Guided Procedures) - versi\u00f3n 7.50, puede obtener acceso a la vista de administrador de la funci\u00f3n espec\u00edfica de forma an\u00f3nima. En la explotaci\u00f3n exitosa de la vulnerabilidad en circunstancias espec\u00edficas, el atacante puede ver la direcci\u00f3n de correo electr\u00f3nico del usuario. No hay impacto en la integridad/disponibilidad."}], "lastModified": "2024-11-21T08:21:10.173", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver:7.50:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F2B37045-2FB7-49BB-AE38-B84FAA6ADFB0"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}