CVE-2023-37484

Name of the Vulnerable Software and Affected Versions SAP PowerDesigner version 16.7

Description The issue is related to insufficient protection of service data due to the handling of password hashes during login attempts. This may allow a remote attacker to gain unauthorized access to protected information. The vulnerability involves the comparison of user-provided passwords with all password hashes in the backend database during a login attempt, potentially allowing an attacker to access password hashes from the client's memory.

Recommendations For SAP PowerDesigner version 16.7, consider disabling the login functionality that compares user-provided passwords with backend database hashes until a patch is available. Restrict access to the backend database to minimize the risk of exploitation. Avoid using the password variable in the affected login endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.