Unauthenticated Info Disclosure in SAP Host Agent 7.22
CVE-2023-36926 Published on August 8, 2023

Information disclosure vulnerability in SAP Host Agent
Due to missing authentication check in SAP Host Agent - version 7.22, an unauthenticated attacker can set an undocumented parameter to a particular compatibility value and in turn call read functions. This allows the attacker to gather some non-sensitive information about the server.  There is no impact on integrity or availability.

NVD

Vulnerability Analysis

CVE-2023-36926 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.


Products Associated with CVE-2023-36926

Want to know whenever a new CVE is published for SAP Host Agent? stack.watch will email you.

SAP Host Agent
 

Affected Versions

SAP_SE SAP Host Agent Version 7.22 is affected by CVE-2023-36926

Exploit Probability

EPSS
0.29%
Percentile
51.70%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.