Critical flaw fixed in SAP Business One product

Pierluigi Paganini November 15, 2023

Enterprise software giant SAP addressed a critical improper access control vulnerability in its Business One product.

SAP November 2023 Security Patch Day includes three new and three updated security notes. The most severe “hot news” is an improper access control vulnerability, tracked as CVE-2023-31403 (CVSS score of 9.6), that impacts SAP Business One product installation.

“SAP Business One installation – version 10.0, does not perform proper authentication and authorization checks for SMB shared folder.” reads the advisory. “As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by the installation process leading to considerable impact on confidentiality, integrity and availability.”

The second Hot News is an update to a Security Note released on September 2023 Patch Day, the issue tracked as CVE-2023-40309 (CVSS score 9.8) is a missing authorization check in SAP CommonCryptoLib

“SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges.” reads the advisory. “Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.”

The remaining security notes address four medium-severity vulnerabilities. Below is the full list of issues addressed as part of the SAP Security Note #3355658.

SAP NoteTypeDescriptionPriorityCVSS
2494184UpdateCross-Site Request Forgery (CSRF) vulnerability in multiple SAP Sybase products BC-SYB-SQAMedium6,3
3355658New[CVE-2023-31403] Improper Access Control vulnerability in SAP Business One product installation SBO-CRO-SECHot News9,6
3362849New[CVE-2023-41366] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform BC-CST-ICMedium5,3
3366410New[CVE-2023-42480] Information Disclosure in NetWeaver AS Java Logon BC-JAS-SECMedium5,3
3333426Update[CVE-2023-42477] Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application) BC-JAS-ADM-MONMedium6,5
3340576Update[CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib BC-IAM-SSO-CCLHot News9,8

At this time we are not aware of attacks in the wild exploiting these vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SAP)

you might also like

leave a comment