CVE-2023-37483 – SAP PowerDesigner 16.7 has an improper access c... (How to Fix)

Q: What is the severity of CVE-2023-37483?

CVE-2023-37483 has a CVSS score of 9.8 (CRITICAL). SAP PowerDesigner 16.7 has an improper access control vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries against the back-end database via Proxy. This affects organizations using SAP PowerDesigner 16.7 for database modeling and design.

📋 TL;DR

SAP PowerDesigner 16.7 has an improper access control vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries against the back-end database via Proxy. This affects organizations using SAP PowerDesigner 16.7 for database modeling and design.

💻 Affected Systems

Products:

SAP PowerDesigner

Versions: 16.7

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects PowerDesigner installations with proxy functionality enabled.

📦 What is this software?

Powerdesigner by Sap

View all CVEs affecting Powerdesigner →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, modification, deletion, or potential remote code execution on the database server.

🟠

Likely Case

Unauthorized data access, extraction of sensitive database information, and potential data manipulation.

🟢

If Mitigated

Limited impact with proper network segmentation and database access controls in place.

🌐 Internet-Facing: HIGH - Direct database access via unauthenticated proxy allows full database manipulation.

🏢 Internal Only: HIGH - Even internally, unauthenticated access to database queries poses significant risk.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Direct SQL query execution via proxy without authentication makes exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Note 3341460

Vendor Advisory: https://me.sap.com/notes/3341460

Restart Required: Yes

Instructions:

1. Download patch from SAP Note 3341460. 2. Apply to PowerDesigner installation. 3. Restart PowerDesigner services. 4. Verify proxy access controls are properly configured.

🔧 Temporary Workarounds

Disable Proxy Functionality

all

Disable or restrict proxy access to PowerDesigner if not required.

Configure PowerDesigner settings to disable proxy functionality

Network Segmentation

all

Restrict network access to PowerDesigner instances.

Configure firewall rules to limit access to PowerDesigner ports

🧯 If You Can't Patch

Implement strict network access controls to isolate PowerDesigner instances
Monitor database queries and proxy access logs for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check PowerDesigner version and verify if SAP Note 3341460 is applied.

Check Version:

Check PowerDesigner About dialog or installation directory version files

Verify Fix Applied:

Verify patch installation and test proxy access controls.

📡 Detection & Monitoring

Log Indicators:

Unusual database query patterns via proxy
Unauthenticated access attempts to proxy endpoints

Network Indicators:

Unexpected SQL queries from PowerDesigner proxy ports
Database connection spikes from PowerDesigner

SIEM Query:

source="PowerDesigner" AND (event_type="proxy_access" OR event_type="database_query") AND user="anonymous"

📊 Metadata

CVE ID: CVE-2023-37483

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: August 8, 2023

Last Updated: November 21, 2024

🔗 References

https://me.sap.com/notes/3341460 Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory
https://me.sap.com/notes/3341460 Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37483, you might also want to check these: