Vulnerability Details : CVE-2023-0019
In SAP GRC (Process Control) - versions GRCFND_A V1200, GRCFND_A V8100, GRCPINW V1100_700, GRCPINW V1100_731, GRCPINW V1200_750, remote-enabled function module in the proprietary SAP solution enables an authenticated attacker with minimal privileges to access all the confidential data stored in the database. Successful exploitation of this vulnerability can expose user credentials from client-specific tables of the database, leading to high impact on confidentiality.
Products affected by CVE-2023-0019
- cpe:2.3:a:sap:grc_process_control:v8100:*:*:*:*:*:*:*
- cpe:2.3:a:sap:grc_process_control:v1100_700:*:*:*:*:*:*:*
- cpe:2.3:a:sap:grc_process_control:v1100_731:*:*:*:*:*:*:*
- cpe:2.3:a:sap:grc_process_control:v1200_750:*:*:*:*:*:*:*
- cpe:2.3:a:sap:grc_process_control:v1200:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-0019
0.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 42 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-0019
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
SAP SE | |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2023-0019
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: cna@sap.com (Primary)
References for CVE-2023-0019
-
https://launchpad.support.sap.com/#/notes/3281724
SAP ONE Support Launchpad: Log OnPermissions Required
-
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
SAP Patch Day BlogVendor Advisory
Jump to