CVE-2023-40309

Name: CVE-2023-40309
Creator: NVD / NIST
Published: 2023-09-12T03:15:12.073+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 0.75%

Last modified Jun 17, 2026

CVE-2023-40309 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.. EPSS estimates a 0.75% chance of exploitation in the next 30 days.

Description

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.75%

50.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-863

Affected Software

Vendor	Product	Versions
Sap	Commoncryptolib	8.0.0
Sap	Content Server	6.50
Sap	Content Server	7.53
Sap	Content Server	7.54
Sap	Extended Application Services And Runtime	1.0
Sap	Hana Database	2.0
Sap	Host Agent	722
Sap	Netweaver Application Server Abap	7.22ext
Sap	Netweaver Application Server Abap	kernel_7.22
Sap	Netweaver Application Server Abap	kernel_7.53
Sap	Netweaver Application Server Abap	kernel_7.54
Sap	Netweaver Application Server Abap	kernel_7.77
Sap	Netweaver Application Server Abap	kernel_7.85
Sap	Netweaver Application Server Abap	kernel_7.89
Sap	Netweaver Application Server Abap	kernel_7.91
Sap	Netweaver Application Server Abap	kernel_7.92
Sap	Netweaver Application Server Abap	kernel_7.93
Sap	Netweaver Application Server Abap	kernel_8.04
Sap	Netweaver Application Server Abap	kernel64nuc_7.22
Sap	Netweaver Application Server Abap	kernel64nuc_7.22ext
Sap	Netweaver Application Server Abap	kernel64uc_7.22
Sap	Netweaver Application Server Abap	kernel64uc_7.22ext
Sap	Netweaver Application Server Abap	kernel64uc_7.53
Sap	Netweaver Application Server Abap	kernel64uc_8.04
Sap	Netweaver Application Server Java	kernel_7.22
Sap	Netweaver Application Server Java	kernel_7.53
Sap	Netweaver Application Server Java	kernel_7.54
Sap	Netweaver Application Server Java	kernel_7.77
Sap	Netweaver Application Server Java	kernel_7.85
Sap	Netweaver Application Server Java	kernel_7.89
Sap	Netweaver Application Server Java	kernel_7.91
Sap	Netweaver Application Server Java	kernel_7.92
Sap	Netweaver Application Server Java	kernel_7.93
Sap	Netweaver Application Server Java	kernel_8.04
Sap	Netweaver Application Server Java	kernel64nuc_7.22
Sap	Netweaver Application Server Java	kernel64nuc_7.22ext
Sap	Netweaver Application Server Java	kernel64uc_7.22
Sap	Netweaver Application Server Java	kernel64uc_7.22ext
Sap	Netweaver Application Server Java	kernel64uc_7.53
Sap	Netweaver Application Server Java	kernel64uc_8.04
Sap	Sapssoext	17.0
Sap	Web Dispatcher	7.22ext
Sap	Web Dispatcher	7.53
Sap	Web Dispatcher	7.54
Sap	Web Dispatcher	7.77
Sap	Web Dispatcher	7.85
Sap	Web Dispatcher	7.89

References

https://me.sap.com/notes/3340576Permissions Required, Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlVendor Advisory
https://me.sap.com/notes/3340576Permissions Required, Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlVendor Advisory

Timeline

Published: Sep 12, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-40309?

How severe is CVE-2023-40309?

CVE-2023-40309 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 0.75% probability of exploitation in the next 30 days.

How do I fix CVE-2023-40309?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-40309?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST