CVE-2022-41271

9.4CRITICAL

Key Information:

Vendor: SAP
Status: Netweaver Process Integration
Vendor: CVE Published:; 13 December 2022

Summary

An unauthenticated user can attach to an open interface exposed through JNDI by the Messaging System of SAP NetWeaver Process Integration (PI) - version 7.50. This user can make use of an open naming and directory API to access services that could perform unauthorized operations. The vulnerability affects local users and data, leading to a considerable impact on confidentiality as well as availability and a limited impact on the integrity of the application. These operations can be used to:

Read any information
Modify sensitive information
Denial of Service attacks (DoS)
SQL Injection

Affected Version(s)

NetWeaver Process Integration 7.50

References

https://launchpad.support.sap.com/#/notes/3267780

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-...

CVSS V3.1

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 13, 2022
Vulnerability Reserved
Sep 21, 2022