Rewterz Threat Advisory – Multiple SAP Vulnerabilities

March 9, 2022

Severity

Medium

Analysis Summary

CVE-2022-26104

SAP Financial Consolidation could allow a remote authenticated attacker to bypass security restrictions, caused by improper authorization validation for updating homepage messages. By sending a specially-crafted request, an attacker could exploit this vulnerability to alter the maintenance system message.

CVE-2022-26103

SAP NetWeaver AS JAVA could allow a remote attacker to obtain sensitive information, caused by improper access control. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2022-26102

SAP NetWeaver Application Server for ABAP could allow a remote authenticated attacker to bypass security restrictions, caused by improper authorization validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to access content on the start screen and manipulate data before the start screen is executed.

CVE-2022-26101

SAP Fiori launchpad is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2022-26100

SAP SAPCAR is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause SAPCAR process to crash, and obtain privileged access to the system.

CVE-2022-24399

SAP Focused Run is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the REST service. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2022-24398

SAP Business Objects Business Intelligence Platform could allow a remote authenticated attacker to obtain sensitive information, caused by improper access control. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2022-24396

SAP Focused Run could allow a local attacker to gain elevated privileges on the system, caused by improper authentication validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain access to administrative or other privileged functionalities and read, modify, or delete sensitive information and configurations.

CVE-2022-24395

SAP NetWeaver Enterprise Portal is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2022-22547

SAP Focused Run could allow a remote attacker to obtain sensitive information, caused by improper access control. By sending a specially-crafted request via random port 9000-65535, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.