Vulnerability Details : CVE-2023-33990
SAP SQL Anywhere - version 17.0, allows an attacker to prevent legitimate users from accessing the service by crashing the service. An attacker with low privileged account and access to the local system can write into the shared memory objects. This can be leveraged by an attacker to perform a Denial of Service. Further, an attacker might be able to modify sensitive data in shared memory objects.This issue only affects SAP SQL Anywhere on Windows. Other platforms are not impacted.
Vulnerability category: Denial of service
Products affected by CVE-2023-33990
- cpe:2.3:a:sap:sql_anywhere:17.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-33990
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 15 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-33990
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
SAP SE | |
7.1
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
1.8
|
5.2
|
NIST |
CWE ids for CVE-2023-33990
-
A product defines a set of insecure permissions that are inherited by objects that are created by the program.Assigned by: cna@sap.com (Primary)
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by: cna@sap.com (Primary)
References for CVE-2023-33990
-
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
SAP Patch Day BlogVendor Advisory
-
https://me.sap.com/notes/3331029
SAP for Me: Sign InPermissions Required
Jump to