CVE-2023-31403: Critical SAP Business One Security Vulnerability

SAP, a leading enterprise software maker, has once again underscored its commitment to these principles with the release of its November 2023 Security Patch Day advisories. This month, the spotlight falls on a series of critical updates designed to fortify the security framework of various SAP products. At the heart of this month’s release are six security notes, a blend of three new and three updated advisories.

The most critical update revolves around the SAP CommonCryptoLib, a component pivotal for ensuring robust authorization and authentication across SAP systems. The identified vulnerability, cataloged as CVE-2023-40309 and carrying a CVSS score of 9.8, exposes a glaring oversight in authorization checks. This loophole could potentially allow attackers to escalate privileges, granting unauthorized access to functionalities and sensitive data restricted to certain user groups. The update to CommonCryptoLib is not just a patch; it’s a crucial reinforcement of the security ramparts guarding against privilege escalation attacks.

Another significant update pertains to SAP Business One, specifically addressing an improper access control flaw. Tracked as CVE-2023-31403, with a CVSS score of 9.6, this vulnerability is particularly worrisome due to its potential impact on the SMB shared folder used in version 10.0 installations. The lapse in authentication and authorization checks raises serious concerns, as malicious entities could gain read and write access to this shared folder. This vulnerability not only threatens data integrity and confidentiality but also the overall availability of the system.

Beyond these high-stakes updates, SAP’s latest advisory doesn’t overlook the medium-severity bugs. This category includes issues concerning information disclosure in SAP NetWeaver Application Server ABAP, ABAP Platform, and NetWeaver AS Java Logon products.