CVE-2022-22534

EPSS 1.72%
Published 09.02.2022 23:15:18
Last modified 21.11.2024 06:46:58
Source cna@sap.com
Teams watchlist Login
Open Login

Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the application.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

SAP ≫ Netweaver Version700

SAP ≫ Netweaver Version701

SAP ≫ Netweaver Version702

SAP ≫ Netweaver Version731

SAP ≫ Netweaver Version740

SAP ≫ Netweaver Version750

SAP ≫ Netweaver Version751

SAP ≫ Netweaver Version752

SAP ≫ Netweaver Version753

SAP ≫ Netweaver Version754

SAP ≫ Netweaver Version755

SAP ≫ Netweaver Version756

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.72%	0.808

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Vendor Advisory

https://launchpad.support.sap.com/#/notes/3124994

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2022-22534

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-22534

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-22534

EUVD