ID

VAR-202212-1492


CVE

CVE-2022-41272


TITLE

SAP  of  SAP NetWeaver Process Integration  Vulnerability regarding lack of authentication in

Trust: 0.8

sources: JVNDB: JVNDB-2022-023246

DESCRIPTION

An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) - version 7.50 and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data across the entire system. This allows the attacker to have full read access to user data, make limited modifications to user data, and degrade the performance of the system, leading to a high impact on confidentiality and a limited impact on the availability and integrity of the application. SAP of SAP NetWeaver Process Integration Exists in a vulnerability related to the lack of authentication.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2022-41272 // JVNDB: JVNDB-2022-023246

AFFECTED PRODUCTS

vendor:sapmodel:netweaver process integrationscope:eqversion:7.50

Trust: 1.8

vendor:sapmodel:netweaver process integrationscope: - version: -

Trust: 0.8

vendor:sapmodel:netweaver process integrationscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-023246 // NVD: CVE-2022-41272

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-41272
value: HIGH

Trust: 1.0

cna@sap.com: CVE-2022-41272
value: CRITICAL

Trust: 1.0

NVD: CVE-2022-41272
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202212-2962
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2022-41272
baseSeverity: HIGH
baseScore: 8.6
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 4.7
version: 3.1

Trust: 1.0

cna@sap.com: CVE-2022-41272
baseSeverity: CRITICAL
baseScore: 9.9
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 5.3
version: 3.1

Trust: 1.0

NVD: CVE-2022-41272
baseSeverity: HIGH
baseScore: 8.6
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-023246 // CNNVD: CNNVD-202212-2962 // NVD: CVE-2022-41272 // NVD: CVE-2022-41272

PROBLEMTYPE DATA

problemtype:CWE-862

Trust: 1.0

problemtype:CWE-306

Trust: 1.0

problemtype:CWE-89

Trust: 1.0

problemtype:Lack of authentication (CWE-862) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-023246 // NVD: CVE-2022-41272

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202212-2962

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202212-2962

PATCH

title:SAP NetWeaver Process Integration Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=217793

Trust: 0.6

sources: CNNVD: CNNVD-202212-2962

EXTERNAL IDS

db:NVDid:CVE-2022-41272

Trust: 3.2

db:JVNDBid:JVNDB-2022-023246

Trust: 0.8

db:CNNVDid:CNNVD-202212-2962

Trust: 0.6

sources: JVNDB: JVNDB-2022-023246 // CNNVD: CNNVD-202212-2962 // NVD: CVE-2022-41272

REFERENCES

url:https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Trust: 2.4

url:https://launchpad.support.sap.com/#/notes/3273480

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2022-41272

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-41272/

Trust: 0.6

url:https://vigilance.fr/vulnerability/sap-multiple-vulnerabilities-de-decembre-2021-40078

Trust: 0.6

sources: JVNDB: JVNDB-2022-023246 // CNNVD: CNNVD-202212-2962 // NVD: CVE-2022-41272

SOURCES

db:JVNDBid:JVNDB-2022-023246
db:CNNVDid:CNNVD-202212-2962
db:NVDid:CVE-2022-41272

LAST UPDATE DATE

2024-08-14T15:32:22.698000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2022-023246date:2023-11-28T03:09:00
db:CNNVDid:CNNVD-202212-2962date:2022-12-16T00:00:00
db:NVDid:CVE-2022-41272date:2023-11-07T03:52:45.597

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2022-023246date:2023-11-28T00:00:00
db:CNNVDid:CNNVD-202212-2962date:2022-12-13T00:00:00
db:NVDid:CVE-2022-41272date:2022-12-13T04:15:24.960