CVE-2022-28217

CWE-918 — Server-Side Request Forgery (SSRF)CWE-1123 documents3 sources

Severity

6.5MEDIUM

EPSS

0.3%

top 50.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver (EP WEB Page Composer)SAP Netweaver

Timeline

PublishedJun 13

Latest updateJun 14

Description

Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system�s Availability by causing system to crash.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_(ep_web_page_composer)5 versions+4

▶NVDsap/netweaver5 versions+4

🔴Vulnerability Details

GHSA

GHSA-4mp4-x5rj-88jp: Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an ad↗2022-06-14

▶

CVEList

CVE-2022-28217: Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an ad↗2022-06-13

▶