Strix
26.1K

CVE-2023-33987

CRITICALCVSS 9.4/10EPSS 0.58%

Last modified

CVE-2023-33987 is a critical-severity vulnerability rated 9.4/10 on the CVSS scale. An unauthenticated attacker in SAP Web Dispatcher - versions WEBDISP 7.49, WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.81, WEBDISP 7.85, WEBDISP 7.88, WEBDISP 7.89, WEBDISP 7.90, KERNEL 7.49, KERNEL 7.53, KERNEL 7.54 KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.88, KERNEL 7.89, KERNEL 7.90, KRNL64NUC 7.49, KRNL64UC 7.49, KRNL64UC 7.53, HDB 2.00, XS_ADVANCED_RUNTIME 1.00, SAP_EXTENDED_APP_SERVICES 1, can submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages. This can result in the back-end server executing a malicious payload which can be used to read or modify information on the server or make it temporarily unavailable. . EPSS estimates a 0.58% chance of exploitation in the next 30 days.

Description

An unauthenticated attacker in SAP Web Dispatcher - versions WEBDISP 7.49, WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.81, WEBDISP 7.85, WEBDISP 7.88, WEBDISP 7.89, WEBDISP 7.90, KERNEL 7.49, KERNEL 7.53, KERNEL 7.54 KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.88, KERNEL 7.89, KERNEL 7.90, KRNL64NUC 7.49, KRNL64UC 7.49, KRNL64UC 7.53, HDB 2.00, XS_ADVANCED_RUNTIME 1.00, SAP_EXTENDED_APP_SERVICES 1, can submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages. This can result in the back-end server executing a malicious payload which can be used to read or modify information on the server or make it temporarily unavailable.

Metrics

CVSS 3.1
9.4/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Probability
0.58%

43.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
SapWeb Dispatcher7.49
SapWeb Dispatcher7.53
SapWeb Dispatcher7.54
SapWeb Dispatcher7.77
SapWeb Dispatcher7.81
SapWeb Dispatcher7.85
SapWeb Dispatcher7.88
SapWeb Dispatcher7.89
SapWeb Dispatcher7.90
SapWeb Dispatcherhdb_2.00
SapWeb Dispatcherkernel_7.49
SapWeb Dispatcherkernel_7.53
SapWeb Dispatcherkernel_7.54
SapWeb Dispatcherkernel_7.77
SapWeb Dispatcherkernel_7.81
SapWeb Dispatcherkernel_7.85
SapWeb Dispatcherkernel_7.88
SapWeb Dispatcherkernel_7.89
SapWeb Dispatcherkernel_7.90
SapWeb Dispatcherkrnl64nuc_7.49
SapWeb Dispatcherkrnl64uc_7.49
SapWeb Dispatcherkrnl64uc_7.53
SapWeb Dispatchersap_extended_app_services_1
SapWeb Dispatcherxs_advanced_runtime_1.00

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-33987?
An unauthenticated attacker in SAP Web Dispatcher - versions WEBDISP 7.49, WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.81, WEBDISP 7.85, WEBDISP 7.88, WEBDISP 7.89, WEBDISP 7.90, KERNEL 7.49, KERNEL 7.53, KERNEL 7.54 KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.88, KERNEL 7.89, KERNEL 7.90, KRNL64NUC 7.49, KRNL64UC 7.49, KRNL64UC 7.53, HDB 2.00, XS_ADVANCED_RUNTIME 1.00, SAP_EXTENDED_APP_SERVICES 1, can submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages. This can result in the back-end server executing a malicious payload which can be used to read or modify information on the server or make it temporarily unavailable.
How severe is CVE-2023-33987?
CVE-2023-33987 has a CVSS score of 9.4/10 (CRITICAL severity). The EPSS model estimates a 0.58% probability of exploitation in the next 30 days.
How do I fix CVE-2023-33987?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-33987?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST