Details of VAR-202212-1492

ID

VAR-202212-1492

CVE

CVE-2022-41272

TITLE

SAP of SAP NetWeaver Process Integration Vulnerability regarding lack of authentication in

Trust: 0.8

sources: JVNDB: JVNDB-2022-023246

DESCRIPTION

An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) - version 7.50 and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data across the entire system. This allows the attacker to have full read access to user data, make limited modifications to user data, and degrade the performance of the system, leading to a high impact on confidentiality and a limited impact on the availability and integrity of the application. SAP of SAP NetWeaver Process Integration Exists in a vulnerability related to the lack of authentication.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2022-41272 // JVNDB: JVNDB-2022-023246

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver process integration	scope:	eq	version:	7.50	Trust: 1.8
vendor:	sap	model:	netweaver process integration	scope:	-	version:	-	Trust: 0.8
vendor:	sap	model:	netweaver process integration	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-023246 // NVD: CVE-2022-41272

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-41272
value:	HIGH
Trust: 1.0
cna@sap.com:	CVE-2022-41272
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2022-41272
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202212-2962
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-41272
baseSeverity:	HIGH
baseScore:	8.6
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	4.7
version:	3.1
Trust: 1.0
cna@sap.com:	CVE-2022-41272
baseSeverity:	CRITICAL
baseScore:	9.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	5.3
version:	3.1
Trust: 1.0
NVD:	CVE-2022-41272
baseSeverity:	HIGH
baseScore:	8.6
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-023246 // CNNVD: CNNVD-202212-2962 // NVD: CVE-2022-41272 // NVD: CVE-2022-41272

PROBLEMTYPE DATA

problemtype:	CWE-862	Trust: 1.0
problemtype:	CWE-306	Trust: 1.0
problemtype:	CWE-89	Trust: 1.0
problemtype:	Lack of authentication (CWE-862) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-023246 // NVD: CVE-2022-41272

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202212-2962

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202212-2962

PATCH

title:

SAP NetWeaver Process Integration Security vulnerabilities

url:

http://123.124.177.30/web/xxk/bdxqById.tag?id=217793

Trust: 0.6

sources: CNNVD: CNNVD-202212-2962

EXTERNAL IDS

db:	NVD	id:	CVE-2022-41272	Trust: 3.2
db:	JVNDB	id:	JVNDB-2022-023246	Trust: 0.8
db:	CNNVD	id:	CNNVD-202212-2962	Trust: 0.6

sources: JVNDB: JVNDB-2022-023246 // CNNVD: CNNVD-202212-2962 // NVD: CVE-2022-41272

REFERENCES

url:	https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Trust: 2.4
url:	https://launchpad.support.sap.com/#/notes/3273480	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2022-41272	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-41272/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/sap-multiple-vulnerabilities-de-decembre-2021-40078	Trust: 0.6

sources: JVNDB: JVNDB-2022-023246 // CNNVD: CNNVD-202212-2962 // NVD: CVE-2022-41272

SOURCES

db:	JVNDB	id:	JVNDB-2022-023246
db:	CNNVD	id:	CNNVD-202212-2962
db:	NVD	id:	CVE-2022-41272

LAST UPDATE DATE

2024-08-14T15:32:22.698000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2022-023246	date:	2023-11-28T03:09:00
db:	CNNVD	id:	CNNVD-202212-2962	date:	2022-12-16T00:00:00
db:	NVD	id:	CVE-2022-41272	date:	2023-11-07T03:52:45.597

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2022-023246	date:	2023-11-28T00:00:00
db:	CNNVD	id:	CNNVD-202212-2962	date:	2022-12-13T00:00:00
db:	NVD	id:	CVE-2022-41272	date:	2022-12-13T04:15:24.960