OpenCVE

The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Sap	Business Warehouse Bw\/4hana

Configuration 1 [-]

OR	cpe:2.3:a:sap:business_warehouse:730:::::::*
	cpe:2.3:a:sap:business_warehouse:731:::::::*
	cpe:2.3:a:sap:business_warehouse:740:::::::*
	cpe:2.3:a:sap:business_warehouse:750:::::::*
	cpe:2.3:a:sap:bw\/4hana:100:::::::*
	cpe:2.3:a:sap:bw\/4hana:200:::::::*
	cpe:2.3:a:sap:bw\/4hana:300:::::::*

No data.

References

Link	Providers
https://me.sap.com/notes/3088078
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

History

Tue, 29 Oct 2024 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2023-07-11T02:34:11.627Z

Updated: 2024-10-29T13:43:38.660Z

Reserved: 2023-05-24T20:41:32.835Z

Link: CVE-2023-33992

Vulnrichment

Updated: 2024-08-02T15:54:14.204Z

NVD

Status : Analyzed

Published: 2023-07-11T03:15:09.717

Modified: 2023-07-19T13:24:24.817

Link: CVE-2023-33992

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-33992", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2023-05-24T20:41:32.835Z", "datePublished": "2023-07-11T02:34:11.627Z", "dateUpdated": "2024-10-29T13:43:38.660Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP Business Warehouse and SAP BW/4HANA", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "SAP_BW 730"}, {"status": "affected", "version": "SAP_BW 731"}, {"status": "affected", "version": "SAP_BW 740"}, {"status": "affected", "version": "SAP_BW 750"}, {"status": "affected", "version": "DW4CORE 100"}, {"status": "affected", "version": "DW4CORE 200"}, {"status": "affected", "version": "DW4CORE 300"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.</p>"}], "value": "The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2023-07-11T02:34:11.627Z"}, "references": [{"url": "https://me.sap.com/notes/3088078"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:54:14.204Z"}, "title": "CVE Program Container", "references": [{"url": "https://me.sap.com/notes/3088078", "tags": ["x_transferred"]}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-25T18:38:55.404664Z", "id": "CVE-2023-33992", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-29T13:43:38.660Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://me.sap.com/notes/3088078", "tags": ["x_transferred"]}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:54:14.204Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-33992", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-25T18:38:55.404664Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-29T13:43:34.246Z"}}], "cna": {"title": "Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP Business Warehouse and SAP BW/4HANA", "versions": [{"status": "affected", "version": "SAP_BW 730"}, {"status": "affected", "version": "SAP_BW 731"}, {"status": "affected", "version": "SAP_BW 740"}, {"status": "affected", "version": "SAP_BW 750"}, {"status": "affected", "version": "DW4CORE 100"}, {"status": "affected", "version": "DW4CORE 200"}, {"status": "affected", "version": "DW4CORE 300"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3088078"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2023-07-11T02:34:11.627Z"}}}, "cveMetadata": {"cveId": "CVE-2023-33992", "state": "PUBLISHED", "dateUpdated": "2024-10-29T13:43:38.660Z", "dateReserved": "2023-05-24T20:41:32.835Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2023-07-11T02:34:11.627Z", "assignerShortName": "sap"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:business_warehouse:730:*:*:*:*:*:*:*", "matchCriteriaId": "EF8F2CE3-BA4B-4A9C-A284-87F0AB797B92", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:business_warehouse:731:*:*:*:*:*:*:*", "matchCriteriaId": "00732AD2-BEED-4C1F-AC39-46E6F33CBB5E", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:business_warehouse:740:*:*:*:*:*:*:*", "matchCriteriaId": "EC7DABAD-36FA-49D7-8C3C-3AA49604BE37", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:business_warehouse:750:*:*:*:*:*:*:*", "matchCriteriaId": "526C11C6-B67D-49F1-94E6-A324AA581EDD", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:bw\\/4hana:100:*:*:*:*:*:*:*", "matchCriteriaId": "BCD13072-E149-45FB-BD46-E3D48D81216B", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:bw\\/4hana:200:*:*:*:*:*:*:*", "matchCriteriaId": "704134B4-A642-488F-94B3-48A744C46A1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:bw\\/4hana:300:*:*:*:*:*:*:*", "matchCriteriaId": "7CCF4C28-1C0B-43C3-A870-C30F53BCAA2B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.\n\n"}], "id": "CVE-2023-33992", "lastModified": "2023-07-19T13:24:24.817", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.6, "source": "cna@sap.com", "type": "Secondary"}]}, "published": "2023-07-11T03:15:09.717", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3088078"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Primary"}]}