CVE-2023-0019 - OpenCVE

In SAP GRC (Process Control) - versions GRCFND_A V1200, GRCFND_A V8100, GRCPINW V1100_700, GRCPINW V1100_731, GRCPINW V1200_750, remote-enabled function module in the proprietary SAP solution enables an authenticated attacker with minimal privileges to access all the confidential data stored in the database. Successful exploitation of this vulnerability can expose user credentials from client-specific tables of the database, leading to high impact on confidentiality.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Grc Process Control

Configuration 1 [-]

OR	cpe:2.3:a:sap:grc_process_control:v1100_700:::::::*
	cpe:2.3:a:sap:grc_process_control:v1100_731:::::::*
	cpe:2.3:a:sap:grc_process_control:v1200:::::::*
	cpe:2.3:a:sap:grc_process_control:v1200_750:::::::*
	cpe:2.3:a:sap:grc_process_control:v8100:::::::*

No data.

References

Link	Providers
https://launchpad.support.sap.com/#/notes/3281724
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2023-02-14T03:06:56.391Z

Updated: 2024-08-02T04:54:32.570Z

Reserved: 2022-12-20T03:49:40.251Z

Link: CVE-2023-0019

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-02-14T04:15:10.073

Modified: 2023-11-07T03:59:27.153

Link: CVE-2023-0019

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-0019", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2022-12-20T03:49:40.251Z", "datePublished": "2023-02-14T03:06:56.391Z", "dateUpdated": "2024-08-02T04:54:32.570Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP GRC (Process Control)", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "V1200"}, {"status": "affected", "version": "V8100"}, {"status": "affected", "version": "V1100_700"}, {"status": "affected", "version": "V1100_731"}, {"status": "affected", "version": "V1200_750"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In SAP GRC (Process Control) - versions GRCFND_A V1200, GRCFND_A V8100, GRCPINW V1100_700, GRCPINW V1100_731, GRCPINW V1200_750, remote-enabled function module in the proprietary SAP solution enables an authenticated attacker with minimal privileges to access all the confidential data stored in the database. Successful exploitation of this vulnerability can expose user credentials from client-specific tables of the database, leading to high impact on confidentiality.</p>"}], "value": "In SAP GRC (Process Control) - versions GRCFND_A V1200, GRCFND_A V8100, GRCPINW V1100_700, GRCPINW V1100_731, GRCPINW V1200_750, remote-enabled function module in the proprietary SAP solution enables an authenticated attacker with minimal privileges to access all the confidential data stored in the database. Successful exploitation of this vulnerability can expose user credentials from client-specific tables of the database, leading to high impact on confidentiality.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2023-02-14T03:06:56.391Z"}, "references": [{"url": "https://launchpad.support.sap.com/#/notes/3281724"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:54:32.570Z"}, "title": "CVE Program Container", "references": [{"url": "https://launchpad.support.sap.com/#/notes/3281724", "tags": ["x_transferred"]}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:grc_process_control:v1100_700:*:*:*:*:*:*:*", "matchCriteriaId": "D3140DB5-7F34-41E9-AE57-5F190CFF03AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:grc_process_control:v1100_731:*:*:*:*:*:*:*", "matchCriteriaId": "9D1EA640-E36C-4E7C-BB30-DE51ECE11B2C", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:grc_process_control:v1200:*:*:*:*:*:*:*", "matchCriteriaId": "322FCC46-6C68-4177-81F5-322365C46BDB", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:grc_process_control:v1200_750:*:*:*:*:*:*:*", "matchCriteriaId": "17A26A2F-8F3F-4606-96AE-2CFD3E74FCEE", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:grc_process_control:v8100:*:*:*:*:*:*:*", "matchCriteriaId": "EE4F55B1-748F-411A-9128-274B43CCE379", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In SAP GRC (Process Control) - versions GRCFND_A V1200, GRCFND_A V8100, GRCPINW V1100_700, GRCPINW V1100_731, GRCPINW V1200_750, remote-enabled function module in the proprietary SAP solution enables an authenticated attacker with minimal privileges to access all the confidential data stored in the database. Successful exploitation of this vulnerability can expose user credentials from client-specific tables of the database, leading to high impact on confidentiality.\n\n"}], "id": "CVE-2023-0019", "lastModified": "2023-11-07T03:59:27.153", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cna@sap.com", "type": "Secondary"}]}, "published": "2023-02-14T04:15:10.073", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/3281724"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Primary"}]}