Lucene search

SapCVE-2022-31589

HistoryJun 14, 2022 - 7:15 p.m.

CVE-2022-31589

2022-06-1419:15:07

CWE-863

sap

web.nvd.nist.gov

cve-2022-31589

improper authorization check

israeli file

shaam program

data access

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

28.4%

JSON

Due to improper authorization check, business users who are using Israeli File from SHAAM program (/ATL/VQ23 transaction), are granted more than needed authorization to perform certain transaction, which may lead to users getting access to data that would otherwise be restricted.

Affected configurations

Nvd

Node

saperp_financial_accountingMatch618

saperp_financial_accountingMatch720

saperp_localization_for_cee_countriesMatchc-cee_110_600

saperp_localization_for_cee_countriesMatchc-cee_110_602

saperp_localization_for_cee_countriesMatchc-cee_110_603

saperp_localization_for_cee_countriesMatchc-cee_110_604

saperp_localization_for_cee_countriesMatchc-cee_110_700

saps\/4hanaMatch100

saps\/4hanaMatch101

saps\/4hanaMatch102

saps\/4hanaMatch103

saps\/4hanaMatch104

saps\/4hanaMatch105

saps\/4hanaMatch106

saps\/4hanaMatch107

saps\/4hanaMatch108

VendorProductVersionCPE
saperp_financial_accounting618cpe:2.3:a:sap:erp_financial_accounting:618:*:*:*:*:*:*:*
saperp_financial_accounting720cpe:2.3:a:sap:erp_financial_accounting:720:*:*:*:*:*:*:*
saperp_localization_for_cee_countriesc-cee_110_600cpe:2.3:a:sap:erp_localization_for_cee_countries:c-cee_110_600:*:*:*:*:*:*:*
saperp_localization_for_cee_countriesc-cee_110_602cpe:2.3:a:sap:erp_localization_for_cee_countries:c-cee_110_602:*:*:*:*:*:*:*
saperp_localization_for_cee_countriesc-cee_110_603cpe:2.3:a:sap:erp_localization_for_cee_countries:c-cee_110_603:*:*:*:*:*:*:*
saperp_localization_for_cee_countriesc-cee_110_604cpe:2.3:a:sap:erp_localization_for_cee_countries:c-cee_110_604:*:*:*:*:*:*:*
saperp_localization_for_cee_countriesc-cee_110_700cpe:2.3:a:sap:erp_localization_for_cee_countries:c-cee_110_700:*:*:*:*:*:*:*
saps\/4hana100cpe:2.3:a:sap:s\/4hana:100:*:*:*:*:*:*:*
saps\/4hana101cpe:2.3:a:sap:s\/4hana:101:*:*:*:*:*:*:*
saps\/4hana102cpe:2.3:a:sap:s\/4hana:102:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sap	erp_financial_accounting	618	cpe:2.3:a:sap:erp_financial_accounting:618:::::::*
sap	erp_financial_accounting	720	cpe:2.3:a:sap:erp_financial_accounting:720:::::::*
sap	erp_localization_for_cee_countries	c-cee_110_600	cpe:2.3:a:sap:erp_localization_for_cee_countries:c-cee_110_600:::::::*
sap	erp_localization_for_cee_countries	c-cee_110_602	cpe:2.3:a:sap:erp_localization_for_cee_countries:c-cee_110_602:::::::*
sap	erp_localization_for_cee_countries	c-cee_110_603	cpe:2.3:a:sap:erp_localization_for_cee_countries:c-cee_110_603:::::::*
sap	erp_localization_for_cee_countries	c-cee_110_604	cpe:2.3:a:sap:erp_localization_for_cee_countries:c-cee_110_604:::::::*
sap	erp_localization_for_cee_countries	c-cee_110_700	cpe:2.3:a:sap:erp_localization_for_cee_countries:c-cee_110_700:::::::*
sap	s\/4hana	100	cpe:2.3:a:sap:s\/4hana:100:::::::*
sap	s\/4hana	101	cpe:2.3:a:sap:s\/4hana:101:::::::*
sap	s\/4hana	102	cpe:2.3:a:sap:s\/4hana:102:::::::*

Rows per page:

1-10 of 161

CNA Affected

[
  {
    "product": "SAP ERP, localization for CEE countries.",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "C-CEE 110_600"
      },
      {
        "status": "affected",
        "version": "110_602"
      },
      {
        "status": "affected",
        "version": "110_603"
      },
      {
        "status": "affected",
        "version": "110_604"
      },
      {
        "status": "affected",
        "version": "110_700"
      }
    ]
  },
  {
    "product": "SAP Financials",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "SAP_FIN 618"
      },
      {
        "status": "affected",
        "version": "720"
      }
    ]
  },
  {
    "product": "SAP S/4Hana Core",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "S4CORE 100"
      },
      {
        "status": "affected",
        "version": "101"
      },
      {
        "status": "affected",
        "version": "102"
      },
      {
        "status": "affected",
        "version": "103"
      },
      {
        "status": "affected",
        "version": "104"
      },
      {
        "status": "affected",
        "version": "105"
      },
      {
        "status": "affected",
        "version": "106"
      },
      {
        "status": "affected",
        "version": "107"
      },
      {
        "status": "affected",
        "version": "108"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/3203065

www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Social References

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

28.4%

JSON

Related for CVE-2022-31589