CVE-2022-27668

CWE-863 — Incorrect Authorization3 documents3 sources

Severity

9.8CRITICAL

EPSS

2.5%

top 14.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver AND Abap Platform SAP Netweaver AS Abap SAP Netweaver AS Abap Krnl64nuc +2 more

Timeline

PublishedJun 14

Latest updateJun 15

Description

Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP Platform - versions KERNEL 7.49, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.49, KRNL64UC 7.49, SAP_ROUTER 7.53, 7.22, from a remote client, for example stopping the SAProuter, that could highly impact systems availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶NVDsap/netweaver_as_abap_krnl64uc7.49

▶NVDsap/netweaver_as_abap_krnl64nuc7.49

▶CVEListV5sap_se/sap_netweaver_and_abap_platform11 versions+10

▶NVDsap/netweaver_as_abap7 versions+6

▶NVDsap/router7.22, 7.53+1

🔴Vulnerability Details

GHSA

GHSA-9xfm-7rcv-qrx6: Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter↗2022-06-15

▶

CVEList

CVE-2022-27668: Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter↗2022-06-14

▶