CVE-2023-0014 - Vulnerability Details

- Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform

Description

SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system.

Published: 2023-01-10

Score: 9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SAP

NetWeaver ABAP Server and ABAP Platform

unaffected

Version	Status	Constraints
`SAP_BASIS 701`	affected	—
`SAP_BASIS 702`	affected	—
`SAP_BASIS 710`	affected	—
`SAP_BASIS 711`	affected	—
`SAP_BASIS 730`	affected	—
`SAP_BASIS 731`	affected	—
`SAP_BASIS 740`	affected	—
`SAP_BASIS 750`	affected	—
`SAP_BASIS 751`	affected	—
`SAP_BASIS 752`	affected	—
`SAP_BASIS 753`	affected	—
`SAP_BASIS 754`	affected	—
`SAP_BASIS 755`	affected	—
`SAP_BASIS 756`	affected	—
`SAP_BASIS 757`	affected	—
`KERNEL 7.22`	affected	—
`KERNEL 7.53`	affected	—
`KERNEL 7.77`	affected	—
`KERNEL 7.81`	affected	—
`KERNEL 7.85`	affected	—
`KERNEL 7.89`	affected	—
`KRNL64UC 7.22`	affected	—
`KRNL64UC 7.22EXT`	affected	—
`KRNL64UC 7.53`	affected	—
`KRNL64NUC 7.22`	affected	—
`KRNL64NUC 7.22EXT`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:sap:netweaver_application_server_abap:700::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:701::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:702::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:710::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:711::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:730::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:731::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:740::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:750::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:751::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:752::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:753::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:754::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:755::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:756::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:757::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.53:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.77:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.81:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.85:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.89:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_krnl64nuc:7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_krnl64nuc:7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_krnl64uc:7.22:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_krnl64uc:7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap_krnl64uc:7.53:::::::*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2023-12119	SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00439.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://launchpad.support.sap.com/#/notes/3089413
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

History

Wed, 09 Apr 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Subscriptions

Sap Netweaver Application Server Abap Netweaver Application Server Abap Kernel Netweaver Application Server Abap Krnl64nuc Netweaver Application Server Abap Krnl64uc

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2023-01-10T03:02:39.962Z

Updated: 2025-04-09T13:59:20.601Z

Reserved: 2022-12-16T03:13:43.141Z

Link: CVE-2023-0014

Vulnrichment

Updated: 2024-08-02T04:54:32.596Z

NVD

Status : Modified

Published: 2023-01-10T04:15:09.550

Modified: 2024-11-21T07:36:23.730

Link: CVE-2023-0014

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-294

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object