CVE-2023-40309

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.

Published: Sep 12, 2023
Updated: May 4, 2025
CVE: CVE-2023-40309
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-862

Affected Software
References

Software	From	Fixed in
sap / netweaver_application_server_abap	kernel_7.53	kernel_7.53.x
sap / netweaver_application_server_abap	kernel_7.77	kernel_7.77.x
sap / web_dispatcher	7.53	7.53.x
sap / web_dispatcher	7.77	7.77.x
sap / web_dispatcher	7.22ext	7.22ext.x
sap / content_server	7.53	7.53.x
sap / web_dispatcher	7.85	7.85.x
sap / netweaver_application_server_abap	kernel_7.22	kernel_7.22.x
sap / netweaver_application_server_abap	kernel_8.04	kernel_8.04.x
sap / netweaver_application_server_abap	7.22ext	7.22ext.x
sap / netweaver_application_server_abap	kernel_7.85	kernel_7.85.x
sap / web_dispatcher	7.89	7.89.x
sap / web_dispatcher	7.54	7.54.x
sap / netweaver_application_server_abap	kernel_7.89	kernel_7.89.x
sap / netweaver_application_server_abap	kernel_7.54	kernel_7.54.x
sap / netweaver_application_server_abap	kernel_7.92	kernel_7.92.x
sap / netweaver_application_server_abap	kernel_7.93	kernel_7.93.x
sap / content_server	6.50	6.50.x
sap / content_server	7.54	7.54.x
sap / hana_database	2.0	2.0.x
sap / host_agent	722	722.x
sap / extended_application_services_and_runtime	1.0	1.0.x
sap / sapssoext	17.0	17.0.x
sap / commoncryptolib	8.0.0	8.0.0.x
sap / netweaver_application_server_java	kernel64nuc_7.22	kernel64nuc_7.22.x
sap / netweaver_application_server_java	kernel64nuc_7.22ext	kernel64nuc_7.22ext.x
sap / netweaver_application_server_java	kernel64uc_7.22	kernel64uc_7.22.x
sap / netweaver_application_server_java	kernel64uc_7.22ext	kernel64uc_7.22ext.x
sap / netweaver_application_server_java	kernel64uc_7.53	kernel64uc_7.53.x
sap / netweaver_application_server_java	kernel64uc_8.04	kernel64uc_8.04.x
sap / netweaver_application_server_java	kernel_7.22	kernel_7.22.x
sap / netweaver_application_server_java	kernel_7.53	kernel_7.53.x
sap / netweaver_application_server_java	kernel_7.54	kernel_7.54.x
sap / netweaver_application_server_java	kernel_7.77	kernel_7.77.x
sap / netweaver_application_server_java	kernel_7.85	kernel_7.85.x
sap / netweaver_application_server_java	kernel_7.89	kernel_7.89.x
sap / netweaver_application_server_java	kernel_7.91	kernel_7.91.x
sap / netweaver_application_server_java	kernel_7.92	kernel_7.92.x
sap / netweaver_application_server_java	kernel_7.93	kernel_7.93.x
sap / netweaver_application_server_java	kernel_8.04	kernel_8.04.x
sap / netweaver_application_server_abap	kernel64nuc_7.22	kernel64nuc_7.22.x
sap / netweaver_application_server_abap	kernel64nuc_7.22ext	kernel64nuc_7.22ext.x
sap / netweaver_application_server_abap	kernel64uc_7.22	kernel64uc_7.22.x
sap / netweaver_application_server_abap	kernel64uc_7.22ext	kernel64uc_7.22ext.x
sap / netweaver_application_server_abap	kernel64uc_7.53	kernel64uc_7.53.x
sap / netweaver_application_server_abap	kernel64uc_8.04	kernel64uc_8.04.x
sap / netweaver_application_server_abap	kernel_7.91	kernel_7.91.x

Vulnerability Database

289,697

CVE-2023-40309