CVE-2022-41272

CWE-89 — SQL Injection CWE-306 — Missing Authentication CWE-862 — Missing Authorization3 documents3 sources

Severity

8.6HIGH

EPSS

0.7%

top 28.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP Netweaver Process Integration

Timeline

PublishedDec 13

Description

An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) - version 7.50 and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data across the entire system. This allows the attacker to have full read access to user data, make limited modifications to user data, and degrade the performance of the …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:LExploitability: 3.9 | Impact: 5.3

Affected Packages2 packages

▶CVEListV5sap/netweaver_process_integration7.50

▶NVDsap/netweaver_process_integration7.50

🔴Vulnerability Details

CVEList

CVE-2022-41272: An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Pr↗2022-12-13

▶

GHSA

GHSA-w9xw-rr57-fj54: An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Pr↗2022-12-13

▶