Lucene search

SapCVE-2022-29618

HistoryJun 14, 2022 - 7:15 p.m.

CVE-2022-29618

2022-06-1419:15:07

CWE-79

sap

web.nvd.nist.gov

sap

netweaver

development infrastructure

design time repository

cve-2022-29618

input validation

code injection

browser security

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

35.9%

JSON

Due to insufficient input validation, SAP NetWeaver Development Infrastructure (Design Time Repository) - versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to inject script into the URL and execute code in the user’s browser. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application.

Affected configurations

Nvd

Node

sapnetweaver_development_infrastructureMatch7.30

sapnetweaver_development_infrastructureMatch7.31

sapnetweaver_development_infrastructureMatch7.40

sapnetweaver_development_infrastructureMatch7.50

VendorProductVersionCPE
sapnetweaver_development_infrastructure7.30cpe:2.3:a:sap:netweaver_development_infrastructure:7.30:*:*:*:*:*:*:*
sapnetweaver_development_infrastructure7.31cpe:2.3:a:sap:netweaver_development_infrastructure:7.31:*:*:*:*:*:*:*
sapnetweaver_development_infrastructure7.40cpe:2.3:a:sap:netweaver_development_infrastructure:7.40:*:*:*:*:*:*:*
sapnetweaver_development_infrastructure7.50cpe:2.3:a:sap:netweaver_development_infrastructure:7.50:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sap	netweaver_development_infrastructure	7.30	cpe:2.3:a:sap:netweaver_development_infrastructure:7.30:::::::*
sap	netweaver_development_infrastructure	7.31	cpe:2.3:a:sap:netweaver_development_infrastructure:7.31:::::::*
sap	netweaver_development_infrastructure	7.40	cpe:2.3:a:sap:netweaver_development_infrastructure:7.40:::::::*
sap	netweaver_development_infrastructure	7.50	cpe:2.3:a:sap:netweaver_development_infrastructure:7.50:::::::*

CNA Affected

[
  {
    "product": "SAP NetWeaver Development Infrastructure (Design Time Repository)",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "7.30"
      },
      {
        "status": "affected",
        "version": "7.31"
      },
      {
        "status": "affected",
        "version": "7.40"
      },
      {
        "status": "affected",
        "version": "7.50"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/3197927

www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Social References

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

35.9%

JSON

Related for CVE-2022-29618