CVE-2022-41268 — Improper Privilege Management in SAP Business Planning AND Consolidation

CWE-269 — Improper Privilege Management3 documents3 sources

Severity

7.5HIGHNVD

CNA8.5

EPSS

0.3%

top 44.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP Business Planning AND Consolidation

Timeline

PublishedDec 13

Description

In some SAP standard roles in SAP Business Planning and Consolidation - versions - SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300, CPMBPC 810, a transaction code reserved for the customer is used. By implementing such transaction code, a malicious user may execute unauthorized transaction functionality. Under specific circumstances, a successful attack could enable an adversary to escalate their privileges to be able to read, change or delete system data.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5sap/business_planning_and_consolidationSAP_BW 750 — SAP_BW 757+2

▶NVDsap/business_planning_and_consolidation11 versions+10

🔴Vulnerability Details

GHSA

GHSA-pfpv-6wg2-46jw: In some SAP standard roles in SAP Business Planning and Consolidation - versions - SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300, CPM↗2022-12-13

▶

CVEList

CVE-2022-41268: In some SAP standard roles in SAP Business Planning and Consolidation - versions - SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300, CPM↗2022-12-13

▶