CaptureReplay Info Disclosure in SAP NetWeaver ABAP before 7.57
CVE-2023-0014 Published on January 10, 2023
Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system.
Vulnerability Analysis
CVE-2023-0014 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
Authentication Bypass by Capture-replay
A capture-replay flaw exists when the design of the software makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). Capture-replay attacks are common and can be difficult to defeat without cryptography. They are a subset of network injection attacks that rely on observing previously-sent valid commands, then changing them slightly if necessary and resending the same commands to the server.
Products Associated with CVE-2023-0014
Want to know whenever a new CVE is published for SAP products? stack.watch will email you.
Affected Versions
SAP NetWeaver ABAP Server and ABAP Platform:- Version SAP_BASIS 701 is affected.
- Version SAP_BASIS 702 is affected.
- Version SAP_BASIS 710 is affected.
- Version SAP_BASIS 711 is affected.
- Version SAP_BASIS 730 is affected.
- Version SAP_BASIS 731 is affected.
- Version SAP_BASIS 740 is affected.
- Version SAP_BASIS 750 is affected.
- Version SAP_BASIS 751 is affected.
- Version SAP_BASIS 752 is affected.
- Version SAP_BASIS 753 is affected.
- Version SAP_BASIS 754 is affected.
- Version SAP_BASIS 755 is affected.
- Version SAP_BASIS 756 is affected.
- Version SAP_BASIS 757 is affected.
- Version KERNEL 7.22 is affected.
- Version KERNEL 7.53 is affected.
- Version KERNEL 7.77 is affected.
- Version KERNEL 7.81 is affected.
- Version KERNEL 7.85 is affected.
- Version KERNEL 7.89 is affected.
- Version KRNL64UC 7.22 is affected.
- Version KRNL64UC 7.22EXT is affected.
- Version KRNL64UC 7.53 is affected.
- Version KRNL64NUC 7.22 is affected.
- Version KRNL64NUC 7.22EXT is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.