CVE-2022-22534 - OpenCVE

Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the application.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Netweaver

Configuration 1 [-]

OR	cpe:2.3:a:sap:netweaver:700:::::::*
	cpe:2.3:a:sap:netweaver:701:::::::*
	cpe:2.3:a:sap:netweaver:702:::::::*
	cpe:2.3:a:sap:netweaver:731:::::::*
	cpe:2.3:a:sap:netweaver:740:::::::*
	cpe:2.3:a:sap:netweaver:750:::::::*
	cpe:2.3:a:sap:netweaver:751:::::::*
	cpe:2.3:a:sap:netweaver:752:::::::*
	cpe:2.3:a:sap:netweaver:753:::::::*
	cpe:2.3:a:sap:netweaver:754:::::::*
	cpe:2.3:a:sap:netweaver:755:::::::*
	cpe:2.3:a:sap:netweaver:756:::::::*

No data.

References

Link	Providers
https://launchpad.support.sap.com/#/notes/3124994
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2022-02-09T22:05:21

Updated: 2024-08-03T03:14:55.475Z

Reserved: 2022-01-04T00:00:00

Link: CVE-2022-22534

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-02-09T23:15:18.533

Modified: 2022-10-27T01:10:54.553

Link: CVE-2022-22534

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SAP NetWeaver (ABAP and Java application Servers)", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "700"}, {"status": "affected", "version": "701"}, {"status": "affected", "version": "702"}, {"status": "affected", "version": "731"}, {"status": "affected", "version": "740"}, {"status": "affected", "version": "750"}, {"status": "affected", "version": "751"}, {"status": "affected", "version": "752"}, {"status": "affected", "version": "753"}, {"status": "affected", "version": "754"}, {"status": "affected", "version": "755"}, {"status": "affected", "version": "756"}]}], "descriptions": [{"lang": "en", "value": "Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the application."}], "problemTypes": [{"descriptions": [{"description": "Cross-Site Scripting", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-24T15:18:07", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/3124994"}, {"tags": ["x_refsource_MISC"], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2022-22534", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP NetWeaver (ABAP and Java application Servers)", "version": {"version_data": [{"version_affected": "=", "version_value": "700"}, {"version_affected": "=", "version_value": "701"}, {"version_affected": "=", "version_value": "702"}, {"version_affected": "=", "version_value": "731"}, {"version_affected": "=", "version_value": "740"}, {"version_affected": "=", "version_value": "750"}, {"version_affected": "=", "version_value": "751"}, {"version_affected": "=", "version_value": "752"}, {"version_affected": "=", "version_value": "753"}, {"version_affected": "=", "version_value": "754"}, {"version_affected": "=", "version_value": "755"}, {"version_affected": "=", "version_value": "756"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the application."}]}, "impact": {"cvss": {"baseScore": "null", "vectorString": "null", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-Site Scripting"}]}]}, "references": {"reference_data": [{"name": "https://launchpad.support.sap.com/#/notes/3124994", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/3124994"}, {"name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "refsource": "MISC", "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:14:55.475Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/3124994"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}]}]}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2022-22534", "datePublished": "2022-02-09T22:05:21", "dateReserved": "2022-01-04T00:00:00", "dateUpdated": "2024-08-03T03:14:55.475Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver:700:*:*:*:*:*:*:*", "matchCriteriaId": "A7FED49E-6F9A-494A-9226-1059249960A0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver:701:*:*:*:*:*:*:*", "matchCriteriaId": "4836C36D-242F-4818-81B4-C170959D02F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver:702:*:*:*:*:*:*:*", "matchCriteriaId": "6A503ABF-8655-40D7-96AD-2D7F19A673AE", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver:731:*:*:*:*:*:*:*", "matchCriteriaId": "8A9D5C5A-6963-438B-B0EA-2A621A34D8A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver:740:*:*:*:*:*:*:*", "matchCriteriaId": "BFFA1591-0304-4FAE-A6A7-72D04D1F41A3", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver:750:*:*:*:*:*:*:*", "matchCriteriaId": "7940A9AF-308E-4CE5-BA19-7A3DCF49F644", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver:751:*:*:*:*:*:*:*", "matchCriteriaId": "C09428E4-45BB-414D-9F3D-AA5C73D2DD5E", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver:752:*:*:*:*:*:*:*", "matchCriteriaId": "5ED0BA7D-939D-4B05-81A3-9F991C8C04F9", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver:753:*:*:*:*:*:*:*", "matchCriteriaId": "0C2BF545-A7DC-4BB6-B894-D04CF163DD88", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver:754:*:*:*:*:*:*:*", "matchCriteriaId": "A75B2F18-60BE-41B5-82CB-520F794F2004", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver:755:*:*:*:*:*:*:*", "matchCriteriaId": "E31620E5-30FC-4545-A430-AAA77A66B51A", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver:756:*:*:*:*:*:*:*", "matchCriteriaId": "9724E131-9893-4630-96A2-EB6032D98C58", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the application."}, {"lang": "es", "value": "Debido a una codificaci\u00f3n insuficiente de la entrada del usuario, SAP NetWeaver permite a un atacante no autenticado inyectar c\u00f3digo que puede exponer datos confidenciales como el ID de usuario y la contrase\u00f1a. Estos endpoints est\u00e1n normalmente expuestos a trav\u00e9s de la red y una explotaci\u00f3n con \u00e9xito puede impactar parcialmente la confidencialidad de la aplicaci\u00f3n"}], "id": "CVE-2022-22534", "lastModified": "2022-10-27T01:10:54.553", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-09T23:15:18.533", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/3124994"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}