SAP Landscape Mgt v3.0 IE: Auth Escalation to SM
CVE-2023-26458 Published on April 11, 2023

Information Disclosure vulnerability in SAP Landscape Management
An information disclosure vulnerability exists in SAP Landscape Management - version 3.0, enterprise edition. It allows an authenticated SAP Landscape Management user to obtain privileged access to other systems making those other systems vulnerable to information disclosure and modification.The disclosed information is for Diagnostics Agent Connection via Java SCS Message Server of an SAP Solution Manager system and can only be accessed by authenticated SAP Landscape Management users, but they can escalate their privileges to the SAP Solution Manager system.

NVD

Vulnerability Analysis

CVE-2023-26458 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.


Products Associated with CVE-2023-26458

Want to know whenever a new CVE is published for SAP Landscape Management? stack.watch will email you.

SAP Landscape Management
 

Affected Versions

SAP Landscape Management Version 3.0 is affected by CVE-2023-26458

Exploit Probability

EPSS
0.21%
Percentile
43.68%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.