cnvd - cnvd-2022-56950

CNVD-2022-56950

Vulnerability from cnvd - Published: 2022-08-15

Title

SAP NetWeaver Development Infrastructure跨站脚本漏洞

Description

SAP NetWeaver Development Infrastructure是德国思爱普（SAP）公司的提供了一致的开发环境，开发团队，并支持软件开发贯穿产品的整个生命周期。 SAP NetWeaver Development Infrastructure存在跨站脚本漏洞，攻击者可利用该漏洞将脚本注入URL并在用户的浏览器中执行代码。

Severity

中

Patch Name

SAP NetWeaver Development Infrastructure跨站脚本漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://launchpad.support.sap.com/#/notes/3197927

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-29618

Impacted products

Name
['SAP SAP NetWeaver Development Infrastructure 7.31', 'SAP SAP NetWeaver Development Infrastructure 7.40', 'SAP SAP NetWeaver Development Infrastructure 7.50', 'SAP SAP NetWeaver Development Infrastructure 7.30']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-29618"
    }
  },
  "description": "SAP NetWeaver Development Infrastructure\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u63d0\u4f9b\u4e86\u4e00\u81f4\u7684\u5f00\u53d1\u73af\u5883\uff0c\u5f00\u53d1\u56e2\u961f\uff0c\u5e76\u652f\u6301\u8f6f\u4ef6\u5f00\u53d1\u8d2f\u7a7f\u4ea7\u54c1\u7684\u6574\u4e2a\u751f\u547d\u5468\u671f\u3002\n\nSAP NetWeaver Development Infrastructure\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u811a\u672c\u6ce8\u5165URL\u5e76\u5728\u7528\u6237\u7684\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://launchpad.support.sap.com/#/notes/3197927",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-56950",
  "openTime": "2022-08-15",
  "patchDescription": "SAP NetWeaver Development Infrastructure\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u63d0\u4f9b\u4e86\u4e00\u81f4\u7684\u5f00\u53d1\u73af\u5883\uff0c\u5f00\u53d1\u56e2\u961f\uff0c\u5e76\u652f\u6301\u8f6f\u4ef6\u5f00\u53d1\u8d2f\u7a7f\u4ea7\u54c1\u7684\u6574\u4e2a\u751f\u547d\u5468\u671f\u3002\r\n\r\nSAP NetWeaver Development Infrastructure\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u811a\u672c\u6ce8\u5165URL\u5e76\u5728\u7528\u6237\u7684\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP NetWeaver Development Infrastructure\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "SAP SAP NetWeaver Development Infrastructure 7.31",
      "SAP SAP NetWeaver Development Infrastructure 7.40",
      "SAP SAP NetWeaver Development Infrastructure 7.50",
      "SAP SAP NetWeaver Development Infrastructure 7.30"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-29618",
  "serverity": "\u4e2d",
  "submitTime": "2022-06-15",
  "title": "SAP NetWeaver Development Infrastructure\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2022-29618 (GCVE-0-2022-29618)

Vulnerability from cvelistv5 – Published: 2022-06-14 18:35 – Updated: 2024-08-03 06:26

Summary

Due to insufficient input validation, SAP NetWeaver Development Infrastructure (Design Time Repository) - versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to inject script into the URL and execute code in the user’s browser. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application.

Severity ?

No CVSS data available.

CWE

CWE-79

Assigner

sap

References

URL

Tags

	https://www.sap.com/documents/2022/02/fa865ea4-16…	x_refsource_MISC
	https://launchpad.support.sap.com/#/notes/3197927	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	SAP SE	SAP NetWeaver Development Infrastructure (Design Time Repository)	Affected: 7.30 Affected: 7.31 Affected: 7.40 Affected: 7.50

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T06:26:06.613Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://launchpad.support.sap.com/#/notes/3197927"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SAP NetWeaver Development Infrastructure (Design Time Repository)",
          "vendor": "SAP SE",
          "versions": [
            {
              "status": "affected",
              "version": "7.30"
            },
            {
              "status": "affected",
              "version": "7.31"
            },
            {
              "status": "affected",
              "version": "7.40"
            },
            {
              "status": "affected",
              "version": "7.50"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Due to insufficient input validation, SAP NetWeaver Development Infrastructure (Design Time Repository) - versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to inject script into the URL and execute code in the user\u2019s browser. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-14T18:35:37",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://launchpad.support.sap.com/#/notes/3197927"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2022-29618",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SAP NetWeaver Development Infrastructure (Design Time Repository)",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "7.30"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.31"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.40"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.50"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SAP SE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Due to insufficient input validation, SAP NetWeaver Development Infrastructure (Design Time Repository) - versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to inject script into the URL and execute code in the user\u2019s browser. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "null",
            "vectorString": "null",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
              "refsource": "MISC",
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            },
            {
              "name": "https://launchpad.support.sap.com/#/notes/3197927",
              "refsource": "MISC",
              "url": "https://launchpad.support.sap.com/#/notes/3197927"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2022-29618",
    "datePublished": "2022-06-14T18:35:37",
    "dateReserved": "2022-04-25T00:00:00",
    "dateUpdated": "2024-08-03T06:26:06.613Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-56950

CVE-2022-29618 (GCVE-0-2022-29618)

Tags

Sightings

Nomenclature