CVE-2022-35291

2022-07-2714:15:08

CWE-269

[email protected]

web.nvd.nist.gov

misconfigured endpoints

sap successfactors

attachment apis

sf mobile app

privileged attackers

admin access

confidentiality

integrity

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

28.4%

JSON

Due to misconfigured application endpoints, SAP SuccessFactors attachment APIs allow attackers with user privileges to perform activities with admin privileges over the network. These APIs were consumed in the SF Mobile application for Time Off, Time Sheet, EC Workflow, and Benefits. On successful exploitation, the attacker can read/write attachments. Thus, compromising the confidentiality and integrity of the application

Affected configurations

Nvd

Node

sapsuccessfactors_mobileMatch8.0.5android

sapsuccessfactors_mobileMatch8.0.5iphone_os

VendorProductVersionCPE
sapsuccessfactors_mobile8.0.5cpe:2.3:a:sap:successfactors_mobile:8.0.5:*:*:*:*:android:*:*
sapsuccessfactors_mobile8.0.5cpe:2.3:a:sap:successfactors_mobile:8.0.5:*:*:*:*:iphone_os:*:*

Vendor	Product	Version	CPE
sap	successfactors_mobile	8.0.5	cpe:2.3:a:sap:successfactors_mobile:8.0.5:::::android::
sap	successfactors_mobile	8.0.5	cpe:2.3:a:sap:successfactors_mobile:8.0.5:::::iphone_os::