#VU79267 Weak password requirements in SAP Commerce - CVE-2023-39439

Cybersecurity Help s.r.o.

Published: 2023-08-09

Vulnerability identifier: #VU79267

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-39439

CWE-ID: CWE-521

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SAP Commerce
Web applications / E-Commerce systems

Vendor: SAP

Description

The vulnerability allows an attacker to perform a brute-force attack.

The vulnerability exists due to application accepts empty passwords. An attacker can trick the victim into setting an empty password for their account and gain unauthorized access to the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SAP Commerce: 2105 - 2211

External links
https://me.sap.com/notes/3346500
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in SAP Commerce