CVE-2022-28215
https://notcve.org/view.php?id=CVE-2022-28215
SAP NetWeaver ABAP Server and ABAP Platform - versions 740, 750, 787, allows an unauthenticated attacker to redirect users to a malicious site due to insufficient URL validation. This could lead to the user being tricked to disclose personal information. SAP NetWeaver ABAP Server y ABAP Platform - versiones 740, 750, 787, permite a un atacante no autenticado redirigir a usuarios a un sitio malicioso debido a la insuficiente comprobación de la URL. Esto podría conllevar a que el usuario fuera engañado para divulgar información personal • https://launchpad.support.sap.com/#/notes/3165333 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2022-22543
https://notcve.org/view.php?id=CVE-2022-22543
SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel) - versions KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49, does not sufficiently validate sap-passport information, which could lead to a Denial-of-Service attack. This allows an unauthorized remote user to provoke a breakdown of the SAP Web Dispatcher or Kernel work process. The crashed process can be restarted immediately, other processes are not affected. SAP NetWeaver Application Server for ABAP (Kernel) y ABAP Platform (Kernel) - versiones KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49, no comprueba suficientemente la información de sap-passport, lo que podría conllevar un ataque de Denegación de Servicio. Esto permite a un usuario remoto no autorizado provocar un bloqueo del proceso de trabajo del SAP Web Dispatcher o del Kernel. • https://launchpad.support.sap.com/#/notes/3116223 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-400: Uncontrolled Resource Consumption •
CVE-2022-22545
https://notcve.org/view.php?id=CVE-2022-22545
A high privileged user who has access to transaction SM59 can read connection details stored with the destination for http calls in SAP NetWeaver Application Server ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756. Un usuario con altos privilegios que tenga acceso a la transacción SM59 puede leer los detalles de conexión almacenados con el destino de las llamadas http en SAP NetWeaver Application Server ABAP y ABAP Platform - versiones 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756 • https://launchpad.support.sap.com/#/notes/3128473 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-22540
https://notcve.org/view.php?id=CVE-2022-22540
SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, allows an attacker to execute crafted database queries, that could expose the backend database. Successful attacks could result in disclosure of a table of contents from the system, but no risk of modification possible. SAP NetWeaver AS ABAP (Workplace Server) - versiones 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, permite a un atacante ejecutar consultas a la base de datos diseñadas, que podrían exponer la base de datos del backend. Los ataques con éxito podrían resultar en una revelación de una tabla de contenidos del sistema, pero no se presenta riesgo de modificación posible • https://launchpad.support.sap.com/#/notes/3140587 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-42067
https://notcve.org/view.php?id=CVE-2021-42067
In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible. En SAP NetWeaver AS for ABAP y ABAP Platform - versiones 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, un atacante autenticado como usuario normal puede usar el cuadro de mandos de S/4 Hana para revelar sistemas y servicios que normalmente no se le permitiría ver. No es posible la alteración de la información ni la denegación de servicio • https://launchpad.support.sap.com/#/notes/3112710 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035 •