SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Commerce_cloud | Sap | 2211 (including) | 2211 (including) |
Commerce_hycom | Sap | 2105 (including) | 2105 (including) |
Commerce_hycom | Sap | 2205 (including) | 2205 (including) |
Attackers may be able to bypass weak authentication faster and/or with less effort than expected.