CVE-2022-27668

Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP Platform - versions KERNEL 7.49, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.49, KRNL64UC 7.49, SAP_ROUTER 7.53, 7.22, from a remote client, for example stopping the SAProuter, that could highly impact systems availability.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sap:netweaver_as_abap:kernel_7.49:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_as_abap:kernel_7.77:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_as_abap:kernel_7.81:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_as_abap:kernel_7.85:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_as_abap:kernel_7.86:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_as_abap:kernel_7.87:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_as_abap:kernel_7.88:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.49:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.49:*:*:*:*:*:*:*
cpe:2.3:a:sap:router:7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:router:7.53:*:*:*:*:*:*:*

History

27 Oct 2022, 19:11

Type Values Removed Values Added
References (MISC) http://packetstormsecurity.com/files/168406/SAP-SAProuter-Improper-Access-Control.html - (MISC) http://packetstormsecurity.com/files/168406/SAP-SAProuter-Improper-Access-Control.html - Exploit, Third Party Advisory
References (FULLDISC) http://seclists.org/fulldisclosure/2022/Sep/17 - (FULLDISC) http://seclists.org/fulldisclosure/2022/Sep/17 - Exploit, Mailing List, Third Party Advisory

16 Sep 2022, 16:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/168406/SAP-SAProuter-Improper-Access-Control.html -

16 Sep 2022, 07:15

Type Values Removed Values Added
References
  • (FULLDISC) http://seclists.org/fulldisclosure/2022/Sep/17 -

24 Jun 2022, 15:46

Type Values Removed Values Added
First Time Sap netweaver As Abap Krnl64uc
Sap router
Sap netweaver As Abap Krnl64nuc
Sap
Sap netweaver As Abap
References (MISC) https://launchpad.support.sap.com/#/notes/3158375 - (MISC) https://launchpad.support.sap.com/#/notes/3158375 - Permissions Required, Vendor Advisory
References (MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - (MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory
CPE cpe:2.3:a:sap:router:7.22:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_as_abap:kernel_7.85:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_as_abap:kernel_7.77:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.49:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_as_abap:kernel_7.81:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_as_abap:kernel_7.88:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_as_abap:kernel_7.86:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_as_abap:kernel_7.49:*:*:*:*:*:*:*
cpe:2.3:a:sap:router:7.53:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_as_abap:kernel_7.87:*:*:*:*:*:*:*
cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.49:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 7.5
v3 : 9.8
CWE CWE-863

14 Jun 2022, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-06-14 17:15

Updated : 2023-12-10 14:22


NVD link : CVE-2022-27668

Mitre link : CVE-2022-27668

CVE.ORG link : CVE-2022-27668


JSON object : View

Products Affected

sap

  • router
  • netweaver_as_abap_krnl64uc
  • netweaver_as_abap
  • netweaver_as_abap_krnl64nuc
CWE
CWE-863

Incorrect Authorization