CVE-2023-0017
Published: 10 January 2023
Summary
CVE-2023-0017 is a critical-severity Improper Access Control (CWE-284) vulnerability in Sap Netweaver Application Server For Java. Its CVSS base score is 9.4 (Critical).
Operationally, ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-0017 is an improper access control vulnerability (CWE-284) affecting SAP NetWeaver Application Server for Java version 7.50. An unauthenticated remote attacker can attach to an exposed interface and invoke an open naming and directory API, thereby reaching internal services that permit unauthorized operations on users and data within the affected system.
An attacker with network access can exploit the flaw without authentication or user interaction to obtain full read access to user data, modify that data, and disrupt service availability. The issue carries a CVSS 3.1 base score of 9.4, reflecting network attack vector, low complexity, and high impact on confidentiality and integrity.
SAP security notes 3268093 and the associated January 2023 disclosure document address remediation; practitioners should consult those references for patch availability and configuration guidance. The EPSS score has remained flat at 0.0504 with no observable post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-12122
Vulnerability details
An unauthenticated attacker in SAP NetWeaver AS for Java - version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used…
more
to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.
Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions.
Supervision and review of access control activities directly detects and remediates improper access configurations or usages.
Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.
By automatically labeling outputs with security attributes, the control supports attribute-based enforcement and reduces exploitability of improper access control weaknesses.
Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.
Requiring prior authorization for each remote access type prevents improper access control over remote connections.
Requiring authorization of wireless access before allowing connections enforces proper access control for this access method.