SAP GRC Authenticated Data Disclosure via Remote Function Module
CVE-2023-0019 Published on February 14, 2023
In SAP GRC (Process Control) - versions GRCFND_A V1200, GRCFND_A V8100, GRCPINW V1100_700, GRCPINW V1100_731, GRCPINW V1200_750, remote-enabled function module in the proprietary SAP solution enables an authenticated attacker with minimal privileges to access all the confidential data stored in the database. Successful exploitation of this vulnerability can expose user credentials from client-specific tables of the database, leading to high impact on confidentiality.
Vulnerability Analysis
CVE-2023-0019 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2023-0019 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2023-0019
Want to know whenever a new CVE is published for SAP Grc Process Control? stack.watch will email you.
Affected Versions
SAP_SE SAP GRC (Process Control):- Version V1200 is affected.
- Version V8100 is affected.
- Version V1100_700 is affected.
- Version V1100_731 is affected.
- Version V1200_750 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.