Skip to main content

S 4Hana CVE-2022-31597

MEDIUM
Missing Authorization (CWE-862)
2022-07-12 cna@sap.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 12, 2022 - 21:15 nvd
MEDIUM 5.4

DescriptionNVD

Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data.

AnalysisAI

Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data. Affected products include: Sap S\/4Hana, Sap Sapscore.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.

CVE-2021-38176 HIGH
8.8 Sep 14

Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT functi

CVE-2023-24524 MEDIUM
6.5 Feb 14

SAP S/4 HANA Map Treasury Correspondence Format Data does not perform necessary authorization check for an authenticated

CVE-2022-31589 MEDIUM
6.5 Jun 14

Due to improper authorization check, business users who are using Israeli File from SHAAM program (/ATL/VQ23 transaction

CVE-2023-40306 MEDIUM
6.1 Sep 08

SAP S/4HANA Manage Catalog Items and Cross-Catalog searches Fiori apps allow an attacker to redirect users to a maliciou

CVE-2020-6184 MEDIUM
6.1 Feb 12

Under certain conditions, ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS ver

CVE-2023-42473 MEDIUM
5.4 Oct 10

S/4HANA Manage (Withholding Tax Items) - version 106, does not perform necessary authorization checks for an authenticat

CVE-2020-6212 MEDIUM
5.4 Apr 24

Egypt localized withholding tax reports Clearing of Liabilities and Remittance Statement and Summary in SAP ERP (version

CVE-2020-6185 MEDIUM
5.4 Feb 12

Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS vers

CVE-2022-32248 MEDIUM
5.3 Jul 12

Due to missing input validation in the Manage Checkbooks component of SAP S/4HANA - version 101, 102, 103, 104, 105, 106

CVE-2020-6214 MEDIUM
4.7 Apr 14

SAP S/4HANA (Financial Products Subledger), version 100, uses an incorrect authorization object in some reports. Rated m

CVE-2023-42475 MEDIUM
4.3 Oct 10

The Statutory Reporting application has a vulnerable file storage location, potentially enabling low privileged attacker

CVE-2020-6316 MEDIUM
4.3 Nov 10

SAP ERP and SAP S/4 HANA allows an authenticated user to see cost records to objects to which he has no authorization in

Share

CVE-2022-31597 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy