Vulnerabilities > CVE-2022-27668 - Incorrect Authorization vulnerability in SAP products

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

sap

CWE-863

critical

NVD

Published: 2022-06-14

Updated: 2022-10-27

Summary

Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP Platform - versions KERNEL 7.49, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.49, KRNL64UC 7.49, SAP_ROUTER 7.53, 7.22, from a remote client, for example stopping the SAProuter, that could highly impact systems availability.

Vulnerable Configurations

Part	Description	Count
Application	Sap SAP Netweaver AS Abap Kernel_7.49 SAP Netweaver AS Abap Kernel_7.77 SAP Netweaver AS Abap Kernel_7.81 SAP Netweaver AS Abap Kernel_7.85 SAP Netweaver AS Abap Kernel_7.86 SAP Netweaver AS Abap Kernel_7.87 SAP Netweaver AS Abap Kernel_7.88 SAP Netweaver AS Abap Krnl64Uc 7.49 SAP Netweaver AS Abap Krnl64Nuc 7.49 SAP Router 7.22 SAP Router 7.53	11

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References