CVE-2023-33992

Name of the Vulnerable Software and Affected Versions SAP Business Warehouse versions SAP BW 730 through SAP BW 750 SAP BW/4HANA versions DW4CORE 100 through DW4CORE 300

Description The issue is related to the SAP BW BICS communication layer, which may expose unauthorized cell values to the data response. To exploit this, a user needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level. This is due to weaknesses in the authorization procedure, which can allow a remote attacker to gain unauthorized access to protected information.

Recommendations For SAP Business Warehouse versions SAP BW 730 through SAP BW 750, ensure that users have proper authorizations on the query and keyfigure/measure level to minimize the risk of exploitation. For SAP BW/4HANA versions DW4CORE 100 through DW4CORE 300, consider restricting access to sensitive data until a fix is available. As a temporary workaround, consider implementing additional authorization checks on the data level to prevent unauthorized access.