CVE-2023-33992

Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA

Description

The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.

References

Link	Tags
https://me.sap.com/notes/3088078	permissions required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2023-33992?: CVE-2023-33992 has been scored as a medium severity vulnerability.
How to fix CVE-2023-33992?: To fix CVE-2023-33992, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-33992 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2023-33992 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-33992?: CVE-2023-33992 affects SAP_SE SAP Business Warehouse and SAP BW/4HANA.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Category

CWE-862 – Missing Authorization

References

Frequently Asked Questions