8.1

CVE-2022-35291

EPSS 0.33%
Veröffentlicht 27.07.2022 14:15:08
Zuletzt bearbeitet 21.11.2024 07:11:03
Quelle cna@sap.com
Teams Watchlist Login
Unerledigt Login

Due to misconfigured application endpoints, SAP SuccessFactors attachment APIs allow attackers with user privileges to perform activities with admin privileges over the network. These APIs were consumed in the SF Mobile application for Time Off, Time Sheet, EC Workflow, and Benefits. On successful exploitation, the attacker can read/write attachments. Thus, compromising the confidentiality and integrity of the application

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

SAP ≫ Successfactors Mobile Version8.0.5 SwPlatformandroid

SAP ≫ Successfactors Mobile Version8.0.5 SwPlatformiphone_os

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.553

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
cna@sap.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Vendor Advisory

https://launchpad.support.sap.com/#/notes/3226411

Vendor Advisory

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2022-35291

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-35291

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-35291

EUVD