Unauth Log Modification via CraftOut Request: SAP NetWeaver AS for Java 7.50
CVE-2023-31405 Published on July 11, 2023
Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer)
SAP NetWeaver AS for Java - versions ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50, allows an unauthenticated attacker to craft a request over the network which can result in unwarranted modifications to a system log without user interaction. There is no ability to view any information or any effect on availability.
Vulnerability Analysis
CVE-2023-31405 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
Improper Output Neutralization for Logs
The software does not neutralize or incorrectly neutralizes output that is written to logs.
Products Associated with CVE-2023-31405
Want to know whenever a new CVE is published for SAP Netweaver Application Server Java? stack.watch will email you.
Affected Versions
SAP_SE SAP NetWeaver AS for Java (Log Viewer):- Version ENGINEAPI 7.50 is affected.
- Version SERVERCORE 7.50 is affected.
- Version J2EE-APPS 7.50 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.