CVE-2022-35291

Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS)

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Due to misconfigured application endpoints, SAP SuccessFactors attachment APIs allow attackers with user privileges to perform activities with admin privileges over the network. These APIs were consumed in the SF Mobile application for Time Off, Time Sheet, EC Workflow, and Benefits. On successful exploitation, the attacker can read/write attachments. Thus, compromising the confidentiality and integrity of the application

Debido a los endpoints de la aplicación configurados inapropiadamente, las APIs de adjuntos de SAP SuccessFactors permiten a atacantes privilegiados de usuario llevar a cabo actividades con privilegios de administrador a través de la red. Estas APIs fueron consumidas en la aplicación SF Mobile para Time Off, Time Sheet, EC Workflow y Benefits. Si es explotado con éxito, el atacante puede leer/escribir archivos adjuntos. De este modo, es comprometida la confidencialidad e integridad de la aplicación

*Credits: N/A

CVSS Scores

NISTv3.1 8.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-07 CVE Reserved
2022-07-27 CVE Published
2024-02-17 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-269: Improper Privilege Management

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	2022-08-02

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sap Search vendor "Sap"		Successfactors Mobile Search vendor "Sap" for product "Successfactors Mobile"				8.0.5 Search vendor "Sap" for product "Successfactors Mobile" and version "8.0.5"		android		Affected
Sap Search vendor "Sap"		Successfactors Mobile Search vendor "Sap" for product "Successfactors Mobile"				8.0.5 Search vendor "Sap" for product "Successfactors Mobile" and version "8.0.5"		iphone_os		Affected