CVE-2023-27895 - OpenCVE

SAP Authenticator for Android - version 1.3.0, allows the screen to be captured, if an authorized attacker installs a malicious app on the mobile device. The attacker could extract the currently views of the OTP and the secret OTP alphanumeric token during the token setup. On successful exploitation, an attacker can read some sensitive information but cannot modify and delete the data.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Sap	Authenticator

Configuration 1 [-]

cpe:2.3:a:sap:authenticator:1.3.0:*:*:*:*:android:*:*

References

Link	Resource
https://launchpad.support.sap.com/#/notes/3302710	Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: sap

Published: 2023-03-14T05:08:09.049Z

Updated: 2023-04-11T20:19:44.189Z

Reserved: 2023-03-07T07:53:14.886Z

Link: CVE-2023-27895

JSON object: View

NVD Information

Status : Modified

Published: 2023-03-14T06:15:12.553

Modified: 2023-04-11T04:16:06.767

Link: CVE-2023-27895

JSON object: View

Redhat Information

No data.

CWE

CWE-267

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-27895", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2023-03-07T07:53:14.886Z", "datePublished": "2023-03-14T05:08:09.049Z", "dateUpdated": "2023-04-11T20:19:44.189Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Authenticator for Android", "vendor": "SAP", "versions": [{"status": "affected", "version": "1.3.0"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>SAP Authenticator for Android - version 1.3.0, allows the screen to be captured, if an authorized attacker installs a malicious app on the mobile device. The attacker could extract the currently views of the OTP and the secret OTP alphanumeric token during the token setup. On successful exploitation, an attacker can read some sensitive information but cannot modify and delete the data.</p>"}], "value": "SAP Authenticator for Android - version 1.3.0, allows the screen to be captured, if an authorized attacker installs a malicious app on the mobile device. The attacker could extract the currently views of the OTP and the secret OTP alphanumeric token during the token setup. On successful exploitation, an attacker can read some sensitive information but cannot modify and delete the data.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-267", "description": "CWE-267: Privilege Defined with Unsafe Actions", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2023-04-11T20:19:44.189Z"}, "references": [{"url": "https://launchpad.support.sap.com/#/notes/3302710"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Information Disclosure vulnerability in SAP Authenticator for Android", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}