Lucene search

[email protected]CVE-2022-27656

HistoryMay 11, 2022 - 3:15 p.m.

CVE-2022-27656

2022-05-1115:15:09

CWE-79

[email protected]

web.nvd.nist.gov

sap

web dispatcher

icm

web admin

xss

vulnerability

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

33.7%

JSON

The Web administration UI of SAP Web Dispatcher and the Internet Communication Manager (ICM) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Affected configurations

NVD

Node

sapnetweaver_as_abap_kernelMatch7.22

sapnetweaver_as_abap_kernelMatch7.49

sapnetweaver_as_abap_kernelMatch7.53

sapnetweaver_as_abap_kernelMatch7.77

sapnetweaver_as_abap_kernelMatch7.81

sapnetweaver_as_abap_kernelMatch7.85

sapnetweaver_as_abap_kernelMatch7.86

sapnetweaver_as_abap_kernelMatch7.87

sapnetweaver_as_abap_kernelMatch8.04

sapnetweaver_as_abap_krnl64ucMatch7.22

sapnetweaver_as_abap_krnl64ucMatch7.22ext

sapnetweaver_as_abap_krnl64ucMatch7.49

sapnetweaver_as_abap_krnl64ucMatch7.53

sapnetweaver_as_abap_krnl64ucMatch8.04

sapwebdispatcherMatch7.22ext

sapwebdispatcherMatch7.49

sapwebdispatcherMatch7.53

sapwebdispatcherMatch7.77

sapwebdispatcherMatch7.81

sapwebdispatcherMatch7.83

sapwebdispatcherMatch7.85

CPENameOperatorVersion
sap:netweaver_as_abap_kernelsap netweaver as abap kerneleq7.22
sap:netweaver_as_abap_kernelsap netweaver as abap kerneleq7.49
sap:netweaver_as_abap_kernelsap netweaver as abap kerneleq7.53
sap:netweaver_as_abap_kernelsap netweaver as abap kerneleq7.77
sap:netweaver_as_abap_kernelsap netweaver as abap kerneleq7.81
sap:netweaver_as_abap_kernelsap netweaver as abap kerneleq7.85
sap:netweaver_as_abap_kernelsap netweaver as abap kerneleq7.86
sap:netweaver_as_abap_kernelsap netweaver as abap kerneleq7.87
sap:netweaver_as_abap_kernelsap netweaver as abap kerneleq8.04
sap:netweaver_as_abap_krnl64ucsap netweaver as abap krnl64uceq7.22

CPE	Name	Operator	Version
sap:netweaver_as_abap_kernel	sap netweaver as abap kernel	eq	7.22
sap:netweaver_as_abap_kernel	sap netweaver as abap kernel	eq	7.49
sap:netweaver_as_abap_kernel	sap netweaver as abap kernel	eq	7.53
sap:netweaver_as_abap_kernel	sap netweaver as abap kernel	eq	7.77
sap:netweaver_as_abap_kernel	sap netweaver as abap kernel	eq	7.81
sap:netweaver_as_abap_kernel	sap netweaver as abap kernel	eq	7.85
sap:netweaver_as_abap_kernel	sap netweaver as abap kernel	eq	7.86
sap:netweaver_as_abap_kernel	sap netweaver as abap kernel	eq	7.87
sap:netweaver_as_abap_kernel	sap netweaver as abap kernel	eq	8.04
sap:netweaver_as_abap_krnl64uc	sap netweaver as abap krnl64uc	eq	7.22

Rows per page:

1-10 of 211

CNA Affected

[
  {
    "product": "SAP NetWeaver AS for ABAP and Java (ICM Administration UI)",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "KRNL64NUC 7.22"
      },
      {
        "status": "affected",
        "version": "7.22EXT"
      },
      {
        "status": "affected",
        "version": "7.49"
      },
      {
        "status": "affected",
        "version": "KRNL64 8.04"
      },
      {
        "status": "affected",
        "version": "7.22"
      },
      {
        "status": "affected",
        "version": "7.53"
      },
      {
        "status": "affected",
        "version": "KERNEL 7.22"
      },
      {
        "status": "affected",
        "version": "8.04"
      },
      {
        "status": "affected",
        "version": "7.77"
      },
      {
        "status": "affected",
        "version": "7.81"
      },
      {
        "status": "affected",
        "version": "7.85"
      },
      {
        "status": "affected",
        "version": "7.86"
      },
      {
        "status": "affected",
        "version": "7.87"
      }
    ]
  },
  {
    "product": "SAP Web Dispatcher (Web Administration UI)",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "7.49"
      },
      {
        "status": "affected",
        "version": "7.53"
      },
      {
        "status": "affected",
        "version": "7.77"
      },
      {
        "status": "affected",
        "version": "7.81"
      },
      {
        "status": "affected",
        "version": "7.85"
      },
      {
        "status": "affected",
        "version": "7.22_EXT"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/3145046

www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Social References

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

33.7%

JSON

Related for CVE-2022-27656

prion1 nvd1 nessus1 cvelist1