Sign-up

ID

VAR-202204-0866


CVE

CVE-2022-28217


TITLE

SAP  of  SAP NetWeaver  Server-side request forgery vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-012079

DESCRIPTION

Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system�s Availability by causing system to crash. SAP of SAP NetWeaver Contains a server-side request forgery vulnerability.Service operation interruption (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2022-28217 // JVNDB: JVNDB-2022-012079 // VULMON: CVE-2022-28217

AFFECTED PRODUCTS

vendor:sapmodel:netweaverscope:eqversion:7.40

Trust: 1.8

vendor:sapmodel:netweaverscope:eqversion:7.50

Trust: 1.8

vendor:sapmodel:netweaverscope:eqversion:7.31

Trust: 1.8

vendor:sapmodel:netweaverscope:eqversion:7.20

Trust: 1.8

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 1.8

vendor:sapmodel:netweaverscope: - version: -

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-012079 // NVD: CVE-2022-28217

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-28217
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-28217
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202204-3297
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2022-28217
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2022-28217
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2022-28217
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-012079 // CNNVD: CNNVD-202204-3297 // NVD: CVE-2022-28217

PROBLEMTYPE DATA

problemtype:CWE-918

Trust: 1.0

problemtype:Server-side request forgery (CWE-918) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-012079 // NVD: CVE-2022-28217

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-3297

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202204-3297

EXTERNAL IDS

db:NVDid:CVE-2022-28217

Trust: 3.3

db:JVNDBid:JVNDB-2022-012079

Trust: 0.8

db:CNNVDid:CNNVD-202204-3297

Trust: 0.6

db:VULMONid:CVE-2022-28217

Trust: 0.1

sources: VULMON: CVE-2022-28217 // JVNDB: JVNDB-2022-012079 // CNNVD: CNNVD-202204-3297 // NVD: CVE-2022-28217

REFERENCES

url:https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Trust: 2.5

url:https://launchpad.support.sap.com/#/notes/3148377

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2022-28217

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-28217/

Trust: 0.6

url:https://vigilance.fr/vulnerability/sap-multiple-vulnerabilities-de-decembre-2021-38045

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/112.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2022-28217 // JVNDB: JVNDB-2022-012079 // CNNVD: CNNVD-202204-3297 // NVD: CVE-2022-28217

SOURCES

db:VULMONid:CVE-2022-28217
db:JVNDBid:JVNDB-2022-012079
db:CNNVDid:CNNVD-202204-3297
db:NVDid:CVE-2022-28217

LAST UPDATE DATE

2024-11-23T22:47:28.027000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2022-28217date:2022-06-13T00:00:00
db:JVNDBid:JVNDB-2022-012079date:2023-08-25T08:14:00
db:CNNVDid:CNNVD-202204-3297date:2022-07-07T00:00:00
db:NVDid:CVE-2022-28217date:2024-11-21T06:56:58.137

SOURCES RELEASE DATE

db:VULMONid:CVE-2022-28217date:2022-06-13T00:00:00
db:JVNDBid:JVNDB-2022-012079date:2023-08-25T00:00:00
db:CNNVDid:CNNVD-202204-3297date:2022-04-13T00:00:00
db:NVDid:CVE-2022-28217date:2022-06-13T17:15:10.017