Skip to main content

Netweaver Application Server Abap CVE-2023-27501

CRITICAL
Path Traversal (CWE-22)
2023-03-14 cna@sap.com
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 14, 2023 - 06:15 nvd
CRITICAL 9.6

DescriptionNVD

SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files. In this attack, no data can be read but potentially critical OS files can be deleted making the system unavailable, causing significant impact on both availability and integrity

AnalysisAI

SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files. In this attack, no data can be read but potentially critical OS files can be deleted making the system unavailable, causing significant impact on both availability and integrity Affected products include: Sap Netweaver Application Server Abap.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2020-26832 HIGH POC
7.6 Dec 09

SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_

CVE-2021-33678 MEDIUM POC
6.5 Jul 14

A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740

CVE-2021-21473 MEDIUM POC
6.3 Jun 09

SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, con

CVE-2026-0488 CRITICAL
9.9 Feb 10

Unauthorized code execution in SAP CRM and SAP S/4HANA Scripting Editor. Authenticated attacker exploits generic functio

CVE-2023-40309 CRITICAL
9.8 Sep 12

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization

CVE-2023-0014 CRITICAL
9.8 Jan 10

SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752,

CVE-2021-44231 CRITICAL
9.8 Dec 14

Internally used text extraction reports allow an attacker to inject code that can be executed by the application. Rated

CVE-2021-40499 CRITICAL
9.8 Oct 12

Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - vers

CVE-2021-27610 CRITICAL
9.8 Jun 16

SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does

CVE-2020-6275 CRITICAL
9.8 Jun 10

SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Serv

CVE-2023-27269 CRITICAL
9.6 Mar 14

SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754,

CVE-2023-49581 CRITICAL
9.4 Dec 12

SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise b

Share

CVE-2023-27501 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy