CVE-2022-26102

{"id": "CVE-2022-26102", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2022-03-10T17:47:30.490", "references": [{"url": "https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://launchpad.support.sap.com/#/notes/3145997", "tags": ["Permissions Required", "Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Secondary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Due to missing authorization check, SAP NetWeaver Application Server for ABAP - versions 700, 701, 702, 731, allows an authenticated attacker, to access content on the start screen of any transaction that is available with in the same SAP system even if he/she isn't authorized for that transaction. A successful exploitation could expose information and in worst case manipulate data before the start screen is executed, resulting in limited impact on confidentiality and integrity of the application."}, {"lang": "es", "value": "Debido a una falta de comprobaci\u00f3n de la autorizaci\u00f3n, SAP NetWeaver Application Server for ABAP - versiones 700, 701, 702, 731, permite a un atacante autenticado, acceder al contenido de la pantalla de inicio de cualquier transacci\u00f3n que est\u00e9 disponible con en el mismo sistema SAP, incluso si \u00e9l / ella no est\u00e1 autorizado para esa transacci\u00f3n. Una explotaci\u00f3n con \u00e9xito podr\u00eda exponer informaci\u00f3n y, en el peor de los casos, manipular datos antes de que sea ejecutada la pantalla de inicio, lo que tendr\u00eda un impacto limitado en la confidencialidad e integridad de la aplicaci\u00f3n"}], "lastModified": "2022-10-06T15:09:35.920", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "98B2522A-B850-4EC2-B2F2-5EBF36801B39"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D"}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5CC29738-CF17-4E6B-9C9E-879B17F7E001"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}