SAP NetWeaver Java 7.50 Unauth Access via Open Naming API
CVE-2023-30744 Published on May 9, 2023
Improper access control during application start-up in SAP AS NetWeaver JAVA.
In SAP AS NetWeaver JAVA - versions SERVERCORE 7.50, J2EE-FRMW 7.50, CORE-TOOLS 7.50, an unauthenticated attacker can attach to an open interface and make use of an open naming and directory API to instantiate an object which has methods which can be called without further authorization and authentication. A subsequent call to one of these methods can read or change the state of existing services without any effect on availability.
Vulnerability Analysis
CVE-2023-30744 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a high impact on integrity, and no impact on availability.
Weakness Type
Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Products Associated with CVE-2023-30744
Want to know whenever a new CVE is published for SAP Netweaver Application Server Java? stack.watch will email you.
Affected Versions
SAP_SE SAP AS NetWeaver JAVA:- Version SERVERCORE 7.50 is affected.
- Version J2EE-FRMW 7.50 is affected.
- Version CORE-TOOLS 7.50 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.