CVE-2023-41368 - OpenCVE

The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	S\/4 Hana

Configuration 1 [-]

OR	cpe:2.3:a:sap:s\/4_hana:102:::::::*
	cpe:2.3:a:sap:s\/4_hana:103:::::::*
	cpe:2.3:a:sap:s\/4_hana:104:::::::*
	cpe:2.3:a:sap:s\/4_hana:105:::::::*
	cpe:2.3:a:sap:s\/4_hana:106:::::::*
	cpe:2.3:a:sap:s\/4_hana:107:::::::*

No data.

References

Link	Providers
https://me.sap.com/notes/3355675
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2023-09-12T01:59:39.205Z

Updated: 2024-08-02T19:01:35.327Z

Reserved: 2023-08-29T05:27:56.301Z

Link: CVE-2023-41368

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-09-12T02:15:12.847

Modified: 2023-09-14T02:09:01.010

Link: CVE-2023-41368

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-41368", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2023-08-29T05:27:56.301Z", "datePublished": "2023-09-12T01:59:39.205Z", "dateUpdated": "2024-08-02T19:01:35.327Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "S4 HANA ABAP (Manage checkbook apps)", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.</p>"}], "value": "The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2023-09-12T01:59:39.205Z"}, "references": [{"url": "https://me.sap.com/notes/3355675"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Insecure Direct Object Reference (IDOR) vulnerability in S4 HANA (Manage checkbook apps)", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:01:35.327Z"}, "title": "CVE Program Container", "references": [{"url": "https://me.sap.com/notes/3355675", "tags": ["x_transferred"]}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:s\\/4_hana:102:*:*:*:*:*:*:*", "matchCriteriaId": "7EE80980-12A5-40D7-8992-5C81FC82935E", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s\\/4_hana:103:*:*:*:*:*:*:*", "matchCriteriaId": "82AAE66A-7112-4E83-9094-2AA571144F64", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s\\/4_hana:104:*:*:*:*:*:*:*", "matchCriteriaId": "CFF0FD31-F4F3-470A-9CB5-DE339D7334FF", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s\\/4_hana:105:*:*:*:*:*:*:*", "matchCriteriaId": "A52E5AE7-D16E-4122-A39E-20A2CAB9A146", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s\\/4_hana:106:*:*:*:*:*:*:*", "matchCriteriaId": "EAEF60F9-E053-4D22-AA65-9C1CA5130374", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s\\/4_hana:107:*:*:*:*:*:*:*", "matchCriteriaId": "8606117E-F864-474F-8839-F6BAB51113E0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.\n\n"}, {"lang": "es", "value": "El servicio OData de S4 HANA (Manage checkbook apps), versiones 102, 103, 104, 105, 106, 107, permite a un atacante cambiar el nombre del checkbook simulando una llamada OData de actualizaci\u00f3n."}], "id": "CVE-2023-41368", "lastModified": "2023-09-14T02:09:01.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "cna@sap.com", "type": "Secondary"}]}, "published": "2023-09-12T02:15:12.847", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3355675"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "cna@sap.com", "type": "Primary"}]}