CVE-2023-0016

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

S

AP BPC MS 10.0 - version 810, allows an unauthorized attacker to execute crafted database queries. The exploitation of this issue could lead to SQL injection vulnerability and could allow an attacker to access, modify, and/or delete data from the backend database.

References

Link	Resource
https://launchpad.support.sap.com/#/notes/3275391	Permissions Required Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory
https://launchpad.support.sap.com/#/notes/3275391	Permissions Required Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:business_planning_and_consolidation:800:::::microsoft::
	cpe:2.3:a:sap:business_planning_and_consolidation:810:::::microsoft::

History

21 Nov 2024, 07:36

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~8.8~~	v2 : unknown v3 : 9.9
References	~~() https://launchpad.support.sap.com/#/notes/3275391 - Permissions Required, Vendor Advisory~~	() https://launchpad.support.sap.com/#/notes/3275391 - Permissions Required, Vendor Advisory
References	~~() https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory~~	() https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory
Summary		(es) SAP BPC MS 10.0 - versión 810, permite a un atacante no autorizado ejecutar consultas de bases de datos manipuladas. La explotación de este problema podría conducir a una vulnerabilidad de inyección SQL y podría permitir a un atacante acceder, modificar y/o eliminar datos de la base de datos backend.

Information

Published : 2023-01-10 04:15

Updated : 2024-11-21 07:36

NVD link : CVE-2023-0016

Mitre link : CVE-2023-0016

CVE.ORG link : CVE-2023-0016

JSON object : View

Products Affected

business_planning_and_consolidation

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2023-0016", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2023-01-10T04:15:09.797", "references": [{"url": "https://launchpad.support.sap.com/#/notes/3275391", "tags": ["Permissions Required", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://launchpad.support.sap.com/#/notes/3275391", "tags": ["Permissions Required", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "SAP BPC MS 10.0 - version 810, allows an unauthorized attacker to execute crafted database queries. The exploitation of this issue could lead to SQL injection vulnerability and could allow an attacker to access, modify, and/or delete data from the backend database."}, {"lang": "es", "value": "SAP BPC MS 10.0 - versi\u00f3n 810, permite a un atacante no autorizado ejecutar consultas de bases de datos manipuladas. La explotaci\u00f3n de este problema podr\u00eda conducir a una vulnerabilidad de inyecci\u00f3n SQL y podr\u00eda permitir a un atacante acceder, modificar y/o eliminar datos de la base de datos backend."}], "lastModified": "2024-11-21T07:36:23.980", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:business_planning_and_consolidation:800:*:*:*:*:microsoft:*:*", "vulnerable": true, "matchCriteriaId": "6C81EEA1-659E-4080-84E6-8F61937F95B9"}, {"criteria": "cpe:2.3:a:sap:business_planning_and_consolidation:810:*:*:*:*:microsoft:*:*", "vulnerable": true, "matchCriteriaId": "AAB2F486-AF82-4469-ACC5-9AC62E8449E0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}