Detections
Analytics

SAP NetWeaver AS ABAP Multiple Vulnerabilities (3256571)

high Nessus Plugin ID 167283

Language:

Synopsis

The remote SAP NetWeaver ABAP server may be affected by multiple vulnerabilities.

Description

Multiple vulnerabilities may be present in SAP NetWeaver Application Server ABAP, including the following:

 - Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to delete a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the integrity and availability of the application. (CVE-2022-41214)

 - Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to read a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the confidentiality of the application. (CVE-2022-41212)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the vendor advisory.

See Also

http://www.nessus.org/u?18f404d5

https://launchpad.support.sap.com/#/notes/3256571

Plugin Details

Severity: High

ID: 167283

File Name: sap_netweaver_as_abap_3256571.nasl

Version: 1.4

Type: remote

Family: Web Servers

Published: 11/11/2022

Updated: 12/12/2022

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

CVSS v2

Risk Factor: High

Base Score: 7.7

Temporal Score: 5.7

Vector: CVSS2#AV:N/AC:L/Au:M/C:N/I:C/A:C

CVSS Score Source: CVE-2022-41214

CVSS v3

Risk Factor: High

Base Score: 8.7

Temporal Score: 7.6

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:sap:netweaver_application_server

Required KB Items: installed_sw/SAP Netweaver Application Server (AS)

Exploit Ease: No known exploits are available

Patch Publication Date: 11/8/2022

Vulnerability Publication Date: 11/8/2022

Reference Information

CVE: CVE-2022-41212, CVE-2022-41214

IAVA: 2022-A-0469