CVSS: 9.8EPSS: 0%CPEs: 27EXPL: 0CVE-2023-0014 – Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-0014
SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system. • https://launchpad.support.sap.com/#/notes/3089413 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-294: Authentication Bypass by Capture-replay •
CVSS: 4.7EPSS: 0%CPEs: 5EXPL: 0CVE-2022-41215
https://notcve.org/view.php?id=CVE-2022-41215
SAP NetWeaver ABAP Server and ABAP Platform allows an unauthenticated attacker to redirect users to a malicious site due to insufficient URL validation. This could lead to the user being tricked to disclose personal information. SAP NetWeaver ABAP Server y ABAP Platform permiten que un atacante no autenticado redirija a los usuarios a un sitio malicioso debido a una validación de URL insuficiente. Esto podría llevar a que se engañe al usuario para que revele información personal. • https://launchpad.support.sap.com/#/notes/3251202 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.7EPSS: 0%CPEs: 6EXPL: 0CVE-2022-41214
https://notcve.org/view.php?id=CVE-2022-41214
Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to delete a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the integrity and availability of the application. Debido a una validación de entrada insuficiente, SAP NetWeaver Application Server ABAP y ABAP Platform permiten a un atacante con privilegios de alto nivel utilizar una función remota habilitada para eliminar un archivo que de otro modo estaría restringido. Si se explota con éxito, un atacante puede comprometer completamente la integridad y disponibilidad de la aplicación. • https://launchpad.support.sap.com/#/notes/3256571 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-20: Improper Input Validation •
CVSS: 4.9EPSS: 0%CPEs: 6EXPL: 0CVE-2022-41212
https://notcve.org/view.php?id=CVE-2022-41212
Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to read a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the confidentiality of the application. Debido a una validación de entrada insuficiente, SAP NetWeaver Application Server ABAP y ABAP Platform permiten a un atacante con privilegios de alto nivel utilizar una función remota habilitada para leer un archivo que de otro modo estaría restringido. Si la explotación tiene éxito, un atacante puede comprometer completamente la confidencialidad de la aplicación. • https://launchpad.support.sap.com/#/notes/3256571 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 17EXPL: 0CVE-2022-29611
https://notcve.org/view.php?id=CVE-2022-29611
SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. SAP NetWeaver Application Server for ABAP y ABAP Platform no llevan a cabo las comprobaciones de autorización necesarias para un usuario autenticado, resultando en una escalada de privilegios • https://launchpad.support.sap.com/#/notes/3165801 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-862: Missing Authorization •