CVE-2023-0016 - OpenCVE

SAP BPC MS 10.0 - version 810, allows an unauthorized attacker to execute crafted database queries. The exploitation of this issue could lead to SQL injection vulnerability and could allow an attacker to access, modify, and/or delete data from the backend database.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Business Planning And Consolidation

Configuration 1 [-]

OR	cpe:2.3:a:sap:business_planning_and_consolidation:800:::::microsoft::
	cpe:2.3:a:sap:business_planning_and_consolidation:810:::::microsoft::

No data.

References

Link	Providers
https://launchpad.support.sap.com/#/notes/3275391
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2023-01-10T03:13:29.718Z

Updated: 2024-08-02T04:54:32.704Z

Reserved: 2022-12-16T03:13:55.421Z

Link: CVE-2023-0016

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-01-10T04:15:09.797

Modified: 2023-01-18T20:28:20.350

Link: CVE-2023-0016

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-0016", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2022-12-16T03:13:55.421Z", "datePublished": "2023-01-10T03:13:29.718Z", "dateUpdated": "2024-08-02T04:54:32.704Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP BPC MS 10.0", "vendor": "SAP", "versions": [{"status": "affected", "version": "800"}, {"status": "affected", "version": "810"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SAP BPC MS 10.0 - version 810, allows an unauthorized attacker to execute crafted database queries. The exploitation of this issue could lead to SQL injection vulnerability and could allow an attacker to access, modify, and/or delete data from the backend database."}], "value": "SAP BPC MS 10.0 - version 810, allows an unauthorized attacker to execute crafted database queries. The exploitation of this issue could lead to SQL injection vulnerability and could allow an attacker to access, modify, and/or delete data from the backend database."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2023-01-10T03:13:29.718Z"}, "references": [{"url": "https://launchpad.support.sap.com/#/notes/3275391"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "source": {"discovery": "UNKNOWN"}, "title": "SQL Injection vulnerability in SAP Business Planning and Consolidation MS", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:54:32.704Z"}, "title": "CVE Program Container", "references": [{"url": "https://launchpad.support.sap.com/#/notes/3275391", "tags": ["x_transferred"]}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:business_planning_and_consolidation:800:*:*:*:*:microsoft:*:*", "matchCriteriaId": "6C81EEA1-659E-4080-84E6-8F61937F95B9", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:business_planning_and_consolidation:810:*:*:*:*:microsoft:*:*", "matchCriteriaId": "AAB2F486-AF82-4469-ACC5-9AC62E8449E0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP BPC MS 10.0 - version 810, allows an unauthorized attacker to execute crafted database queries. The exploitation of this issue could lead to SQL injection vulnerability and could allow an attacker to access, modify, and/or delete data from the backend database."}], "id": "CVE-2023-0016", "lastModified": "2023-01-18T20:28:20.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "cna@sap.com", "type": "Secondary"}]}, "published": "2023-01-10T04:15:09.797", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/3275391"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "cna@sap.com", "type": "Secondary"}]}