CVE-2022-29612
Severity CVSS v4.0:
Pending analysis
Type:
CWE-918
Server-Side Request Forgery (SSRF)
Publication date:
14/06/2022
Last modified:
06/10/2022
Description
SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, 8.04, SAPHOSTAGENT 7.22, allows an authenticated user to misuse a function of sapcontrol webfunctionality(startservice) in Kernel which enables malicious users to retrieve information. On successful exploitation, an attacker can obtain technical information like system number or physical address, which is otherwise restricted, causing a limited impact on the confidentiality of the application.
Impact
Base Score 3.x
4.30
Severity 3.x
MEDIUM
Base Score 2.0
4.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:sap:host_agent:7.22:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_abap:kernel_7.22:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_abap:kernel_7.49:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_abap:kernel_7.53:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_abap:kernel_7.77:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_abap:kernel_7.81:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_abap:kernel_7.85:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_abap:kernel_7.86:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_abap:kernel_7.87:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_abap:kernel_7.88:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_abap:kernel_8.04:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_abap:krnl64nuc_7.22:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_abap:krnl64nuc_7.22ext:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_abap:krnl64uc_7.22:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_abap:krnl64uc_7.22ext:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page