Main Vulnerability Database Vulnerabilities #VU75119

Missing Authorization in SAP NetWeaver AS JAVA - CVE-2022-41272

Published: April 14, 2023

Vulnerability identifier: #VU75119

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2022-41272

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
SAP NetWeaver AS JAVA

Software vendor:
SAP

Description

The vulnerability allows a remote attacker to gain unauthorized access to the server.

The vulnerability exists due to missing authorization in API. A remote attacker can access the open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) and obtain full read access to user data, make limited modifications to user data or perform a denial of service (DoS) attack.

Remediation

Install updates from vendor's website.

External links

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
https://launchpad.support.sap.com/#/notes/3273480

Missing Authorization in SAP NetWeaver AS JAVA - CVE-2022-41272

Description

Remediation

External links

Please verify you're human