CVE-2022-22544

Solution Manager (Diagnostics Root Cause Analysis Tools) - version 720, allows an administrator to execute code on all connected Diagnostics Agents and browse files on their systems. An attacker could thereby control the managed systems. It is considered that this is a missing segregation of duty for the SAP Solution Manager administrator. Impacts of unauthorized execution of commands can lead to sensitive information disclosure, loss of system integrity and denial of service.

CVSS v3 9.1 CRITICAL
CVSS v2.0 6.5 MEDIUM

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://launchpad.support.sap.com/#/notes/3140940	Permissions Required Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:solution_manager:7.20:*:*:*:*:*:*:*

History

25 Oct 2022, 20:39

Type	Values Removed	Values Added
References	~~(MISC) https://launchpad.support.sap.com/#/notes/3140940 - Permissions Required~~	(MISC) https://launchpad.support.sap.com/#/notes/3140940 - Permissions Required, Vendor Advisory
References	~~(MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html -~~	(MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory

24 Aug 2022, 16:15

Type	Values Removed	Values Added
References	{'url': 'https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022', 'name': 'https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022', 'tags': ['Vendor Advisory'], 'refsource': 'MISC'}	(MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html -

16 Feb 2022, 17:58

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
First Time		Sap Sap solution Manager
References	~~(MISC) https://launchpad.support.sap.com/#/notes/3140940 -~~	(MISC) https://launchpad.support.sap.com/#/notes/3140940 - Permissions Required
References	~~(MISC) https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022 -~~	(MISC) https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.5 v3 : 9.1
CPE		cpe:2.3:a:sap:solution_manager:7.20:::::::*

09 Feb 2022, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-02-09 23:15

Updated : 2023-12-10 14:22

NVD link : CVE-2022-22544

Mitre link : CVE-2022-22544

CVE.ORG link : CVE-2022-22544

JSON object : View

Products Affected

sap

solution_manager

CWE

NVD-CWE-noinfo

9.1 /10