CVE-2023-31403: 
SAP Business One vulnerability analysis and mitigation

SAP Business One installation version 10.0 was found to contain a critical vulnerability (CVE-2023-31403) related to improper authentication and authorization checks for SMB shared folder. The vulnerability was disclosed on November 13, 2023, and received a critical CVSS score of 9.6. The affected components include Crystal Report (CR) shared folder, Traditional Mobile app (attachment path), RSP (log folder logic), Job Service, and BAS (file upload folder) (SecurityWeek, NVD).

The vulnerability is classified as an Improper Access Control vulnerability (CWE-863) that allows anonymous users to have read and write access to the SMB shared folder. The vulnerability received two different CVSS v3.1 scores: a 9.6 (Critical) from SAP SE with vector CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, and an 8.0 (High) from NIST with vector CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows any malicious user to read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by the installation process, leading to considerable impact on confidentiality, integrity, and availability of the system (NVD).

SAP has released a hotfix for Business One version 10.0 SP 2308. Customers running lower support package (SP) levels are advised to update to SP 2308 and apply the provided hotfix. The fix was released as part of SAP's November 2023 Security Patch Day (SecurityWeek).

The vulnerability was rated as 'hot news', which is the highest rating in SAP's notebook system, indicating its critical nature and the urgency of applying the patch (SecurityWeek).