SAP Vendor Master Hierarchy Auth Bypass Leads to Data Modification
CVE-2023-32112 Published on May 9, 2023
Missing Authorization Check in Vendor Master Hierarchy
Vendor Master Hierarchy - versions SAP_APPL 500, SAP_APPL 600, SAP_APPL 602, SAP_APPL 603, SAP_APPL 604, SAP_APPL 605, SAP_APPL 606, SAP_APPL 616, SAP_APPL 617, SAP_APPL 618, S4CORE 100, does not perform necessary authorization checks for an authenticated user to access some of its function. This could lead to modification of data impacting the integrity of the system.
Vulnerability Analysis
CVE-2023-32112 is exploitable with local system access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2023-32112 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2023-32112
stack.watch emails you whenever new vulnerabilities are published in SAP S4core or SAP Vendor Master Hierarchy. Just hit a watch button to start following.
Affected Versions
SAP_SE Vendor Master Hierarchy:- Version SAP_APPL 500 is affected.
- Version SAP_APPL 600 is affected.
- Version SAP_APPL 602 is affected.
- Version SAP_APPL 603 is affected.
- Version SAP_APPL 604 is affected.
- Version SAP_APPL 605 is affected.
- Version SAP_APPL 606 is affected.
- Version SAP_APPL 616 is affected.
- Version SAP_APPL 617 is affected.
- Version SAP_APPL 618 is affected.
- Version S4CORE 100 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.