Sign-up

ID

VAR-202206-1219


CVE

CVE-2022-27668


TITLE

plural  SAP  Fraudulent Authentication Vulnerability in Products

Trust: 0.8

sources: JVNDB: JVNDB-2022-011898

DESCRIPTION

Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP Platform - versions KERNEL 7.49, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.49, KRNL64UC 7.49, SAP_ROUTER 7.53, 7.22, from a remote client, for example stopping the SAProuter, that could highly impact systems availability. SAP NetWeaver AS ABAP , netweaver as abap krnl64nuc , netweaver as abap krnl64uc etc. multiple SAP The product contains an incorrect authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.8

sources: NVD: CVE-2022-27668 // JVNDB: JVNDB-2022-011898 // VULHUB: VHN-418337 // VULMON: CVE-2022-27668

AFFECTED PRODUCTS

vendor:sapmodel:netweaver as abapscope:eqversion:kernel_7.88

Trust: 1.0

vendor:sapmodel:netweaver as abap krnl64ucscope:eqversion:7.49

Trust: 1.0

vendor:sapmodel:routerscope:eqversion:7.53

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:kernel_7.49

Trust: 1.0

vendor:sapmodel:routerscope:eqversion:7.22

Trust: 1.0

vendor:sapmodel:netweaver as abap krnl64nucscope:eqversion:7.49

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:kernel_7.87

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:kernel_7.81

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:kernel_7.86

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:kernel_7.77

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:kernel_7.85

Trust: 1.0

vendor:sapmodel:netweaver as abap krnl64ucscope: - version: -

Trust: 0.8

vendor:sapmodel:netweaver as abapscope: - version: -

Trust: 0.8

vendor:sapmodel:netweaver as abap krnl64nucscope: - version: -

Trust: 0.8

vendor:sapmodel:routerscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-011898 // NVD: CVE-2022-27668

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-27668
value: CRITICAL

Trust: 1.8

CNNVD: CNNVD-202206-1322
value: CRITICAL

Trust: 0.6

VULHUB: VHN-418337
value: HIGH

Trust: 0.1

VULMON: CVE-2022-27668
value: HIGH

Trust: 0.1

NVD:
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: CVE-2022-27668
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.9

VULHUB: VHN-418337
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

NVD:
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-27668
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-418337 // VULMON: CVE-2022-27668 // JVNDB: JVNDB-2022-011898 // NVD: CVE-2022-27668 // CNNVD: CNNVD-202206-1322

PROBLEMTYPE DATA

problemtype:CWE-863

Trust: 1.1

problemtype:Illegal authentication (CWE-863) [ others ]

Trust: 0.8

sources: VULHUB: VHN-418337 // JVNDB: JVNDB-2022-011898 // NVD: CVE-2022-27668

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-1322

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202206-1322

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2022-27668

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-418337

PATCH
title:SAP NetWeaver  and  ABAP Platform Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=198110
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202206-1322

EXTERNAL IDS
db:NVDid:CVE-2022-27668
Trust: 3.4
db:PACKETSTORMid:168406
Trust: 2.6
db:JVNDBid:JVNDB-2022-011898
Trust: 0.8
db:CXSECURITYid:WLB-2022090043
Trust: 0.6
db:CNNVDid:CNNVD-202206-1322
Trust: 0.6
db:VULHUBid:VHN-418337
Trust: 0.1
db:VULMONid:CVE-2022-27668
Trust: 0.1
sources:
            
            
            VULHUB: VHN-418337 // 
            
            
            
            VULMON: CVE-2022-27668 // 
            
            
            
            JVNDB: JVNDB-2022-011898 // 
            
            
            
            NVD: CVE-2022-27668 // 
            
            
            
            CNNVD: CNNVD-202206-1322

REFERENCES
url:http://packetstormsecurity.com/files/168406/sap-saprouter-improper-access-control.html
Trust: 3.3
url:http://seclists.org/fulldisclosure/2022/sep/17
Trust: 2.6
url:https://launchpad.support.sap.com/#/notes/3158375
Trust: 2.6
url:https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Trust: 2.6
url:https://nvd.nist.gov/vuln/detail/cve-2022-27668
Trust: 0.8
url:https://vigilance.fr/vulnerability/sap-multiple-vulnerabilities-de-decembre-2021-38592
Trust: 0.6
url:https://cxsecurity.com/cveshow/cve-2022-27668/
Trust: 0.6
url:https://cxsecurity.com/issue/wlb-2022090043
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/863.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-418337 // 
            
            
            
            VULMON: CVE-2022-27668 // 
            
            
            
            JVNDB: JVNDB-2022-011898 // 
            
            
            
            NVD: CVE-2022-27668 // 
            
            
            
            CNNVD: CNNVD-202206-1322

CREDITS
Fabian Hagg
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202206-1322

SOURCES
db:VULHUBid:VHN-418337
db:VULMONid:CVE-2022-27668
db:JVNDBid:JVNDB-2022-011898
db:NVDid:CVE-2022-27668
db:CNNVDid:CNNVD-202206-1322

LAST UPDATE DATE
2023-12-18T12:48:41.345000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-418337date:2022-10-27T00:00:00
db:VULMONid:CVE-2022-27668date:2022-09-16T00:00:00
db:JVNDBid:JVNDB-2022-011898date:2023-08-24T08:26:00
db:NVDid:CVE-2022-27668date:2022-10-27T19:11:06.227
db:CNNVDid:CNNVD-202206-1322date:2022-09-19T00:00:00

SOURCES RELEASE DATE
db:VULHUBid:VHN-418337date:2022-06-14T00:00:00
db:VULMONid:CVE-2022-27668date:2022-06-14T00:00:00
db:JVNDBid:JVNDB-2022-011898date:2023-08-24T00:00:00
db:NVDid:CVE-2022-27668date:2022-06-14T17:15:08.177
db:CNNVDid:CNNVD-202206-1322date:2022-06-14T00:00:00