CVE-2022-41264 (GCVE-0-2022-41264)

Vulnerability from cvelistv5 – Published: 2022-12-13 02:27 – Updated: 2025-04-22 14:24
VLAI?
Summary
Due to the unrestricted scope of the RFC function module, SAP BASIS - versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, allows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. On successful exploitation the attacker can have full control of the system to which the class belongs, causing a high impact on the integrity of the application.
Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
sap
References
Impacted products
Vendor Product Version
SAP BASIS Affected: 731
Affected: 740
Affected: 750
Affected: 751
Affected: 752
Affected: 753
Affected: 754
Affected: 755
Affected: 756
Affected: 757
Affected: 789
Affected: 790
Affected: 791
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:42:44.052Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://launchpad.support.sap.com/#/notes/3268172"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-41264",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-22T14:24:09.747878Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-22T14:24:19.868Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BASIS",
          "vendor": "SAP",
          "versions": [
            {
              "status": "affected",
              "version": "731"
            },
            {
              "status": "affected",
              "version": "740"
            },
            {
              "status": "affected",
              "version": "750"
            },
            {
              "status": "affected",
              "version": "751"
            },
            {
              "status": "affected",
              "version": "752"
            },
            {
              "status": "affected",
              "version": "753"
            },
            {
              "status": "affected",
              "version": "754"
            },
            {
              "status": "affected",
              "version": "755"
            },
            {
              "status": "affected",
              "version": "756"
            },
            {
              "status": "affected",
              "version": "757"
            },
            {
              "status": "affected",
              "version": "789"
            },
            {
              "status": "affected",
              "version": "790"
            },
            {
              "status": "affected",
              "version": "791"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: white;\"\u003eDue to the unrestricted scope of the RFC function module, SAP BASIS - versions \u003c/span\u003e731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, \u003cspan style=\"background-color: white;\"\u003eallows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. On successful exploitation the attacker can have full control of the system to which the class belongs, causing a high impact on the integrity of the application.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "Due to the unrestricted scope of the RFC function module, SAP BASIS - versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, allows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. On successful exploitation the attacker can have full control of the system to which the class belongs, causing a high impact on the integrity of the application.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-13T02:27:48.081Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://launchpad.support.sap.com/#/notes/3268172"
        },
        {
          "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2022-41264",
    "datePublished": "2022-12-13T02:27:48.081Z",
    "dateReserved": "2022-09-21T16:20:14.948Z",
    "dateUpdated": "2025-04-22T14:24:19.868Z",
    "requesterUserId": "048f1e0a-8756-40de-bd1f-51292c7183c7",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:basis:7.31:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1AC2D764-A795-4FBC-95AF-D212B8E51991\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:basis:7.40:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B469CB1A-3AF3-4824-A185-A46A63DBABBE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:basis:7.50:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"56852389-A9A8-42DB-A471-10C1990502FF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:basis:7.51:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"594CB284-78FF-491F-BAF6-390E7D4D5DBE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:basis:7.52:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F7ACA030-9C6A-47D3-A7D9-899753870241\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:basis:7.53:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"893979E3-40EB-4847-A39B-F548F3000F89\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:basis:7.54:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"977F2126-AB92-47D0-B7D4-314D468AC497\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:basis:7.55:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DE7ABA91-2E83-4135-B543-C4BC04E67BA1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:basis:7.56:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7881EFCE-EA98-4513-BBE2-B1728D3EBE61\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:basis:7.57:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E924B0F0-B319-4B8A-8436-4A9E4657D5AB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:basis:7.89:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"400C963C-15B3-45DC-BF72-1AD59099DB87\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:basis:7.90:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E13804DE-69D3-4F43-BC97-5BE7D79854E5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:basis:7.91:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9076C5C4-CE37-4D6D-B271-DB41166C1337\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Due to the unrestricted scope of the RFC function module, SAP BASIS - versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, allows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. On successful exploitation the attacker can have full control of the system to which the class belongs, causing a high impact on the integrity of the application.\\n\"}, {\"lang\": \"es\", \"value\": \"Debido al alcance ilimitado del m\\u00f3dulo de funci\\u00f3n RFC, SAP BASIS - versiones 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, permite que un atacante no administrador autenticado acceda una clase de sistema y ejecutar cualquiera de sus m\\u00e9todos p\\u00fablicos con par\\u00e1metros proporcionados por el atacante. Si la explotaci\\u00f3n tiene \\u00e9xito, el atacante puede tener control total del sistema al que pertenece la clase, provocando un alto impacto en la integridad de la aplicaci\\u00f3n.\"}]",
      "id": "CVE-2022-41264",
      "lastModified": "2024-11-21T07:22:56.593",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cna@sap.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
      "published": "2022-12-13T03:15:09.330",
      "references": "[{\"url\": \"https://launchpad.support.sap.com/#/notes/3268172\", \"source\": \"cna@sap.com\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"source\": \"cna@sap.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://launchpad.support.sap.com/#/notes/3268172\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cna@sap.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cna@sap.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-94\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-41264\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2022-12-13T03:15:09.330\",\"lastModified\":\"2024-11-21T07:22:56.593\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Due to the unrestricted scope of the RFC function module, SAP BASIS - versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, allows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. On successful exploitation the attacker can have full control of the system to which the class belongs, causing a high impact on the integrity of the application.\\n\"},{\"lang\":\"es\",\"value\":\"Debido al alcance ilimitado del m\u00f3dulo de funci\u00f3n RFC, SAP BASIS - versiones 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, permite que un atacante no administrador autenticado acceda una clase de sistema y ejecutar cualquiera de sus m\u00e9todos p\u00fablicos con par\u00e1metros proporcionados por el atacante. Si la explotaci\u00f3n tiene \u00e9xito, el atacante puede tener control total del sistema al que pertenece la clase, provocando un alto impacto en la integridad de la aplicaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:basis:7.31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1AC2D764-A795-4FBC-95AF-D212B8E51991\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:basis:7.40:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B469CB1A-3AF3-4824-A185-A46A63DBABBE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:basis:7.50:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"56852389-A9A8-42DB-A471-10C1990502FF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:basis:7.51:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"594CB284-78FF-491F-BAF6-390E7D4D5DBE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:basis:7.52:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F7ACA030-9C6A-47D3-A7D9-899753870241\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:basis:7.53:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"893979E3-40EB-4847-A39B-F548F3000F89\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:basis:7.54:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"977F2126-AB92-47D0-B7D4-314D468AC497\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:basis:7.55:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DE7ABA91-2E83-4135-B543-C4BC04E67BA1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:basis:7.56:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7881EFCE-EA98-4513-BBE2-B1728D3EBE61\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:basis:7.57:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E924B0F0-B319-4B8A-8436-4A9E4657D5AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:basis:7.89:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"400C963C-15B3-45DC-BF72-1AD59099DB87\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:basis:7.90:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E13804DE-69D3-4F43-BC97-5BE7D79854E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:basis:7.91:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9076C5C4-CE37-4D6D-B271-DB41166C1337\"}]}]}],\"references\":[{\"url\":\"https://launchpad.support.sap.com/#/notes/3268172\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://launchpad.support.sap.com/#/notes/3268172\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://launchpad.support.sap.com/#/notes/3268172\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T12:42:44.052Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-41264\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-22T14:24:09.747878Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-22T14:24:14.928Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SAP\", \"product\": \"BASIS\", \"versions\": [{\"status\": \"affected\", \"version\": \"731\"}, {\"status\": \"affected\", \"version\": \"740\"}, {\"status\": \"affected\", \"version\": \"750\"}, {\"status\": \"affected\", \"version\": \"751\"}, {\"status\": \"affected\", \"version\": \"752\"}, {\"status\": \"affected\", \"version\": \"753\"}, {\"status\": \"affected\", \"version\": \"754\"}, {\"status\": \"affected\", \"version\": \"755\"}, {\"status\": \"affected\", \"version\": \"756\"}, {\"status\": \"affected\", \"version\": \"757\"}, {\"status\": \"affected\", \"version\": \"789\"}, {\"status\": \"affected\", \"version\": \"790\"}, {\"status\": \"affected\", \"version\": \"791\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://launchpad.support.sap.com/#/notes/3268172\"}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Due to the unrestricted scope of the RFC function module, SAP BASIS - versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, allows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. On successful exploitation the attacker can have full control of the system to which the class belongs, causing a high impact on the integrity of the application.\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: white;\\\"\u003eDue to the unrestricted scope of the RFC function module, SAP BASIS - versions \u003c/span\u003e731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, \u003cspan style=\\\"background-color: white;\\\"\u003eallows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. On successful exploitation the attacker can have full control of the system to which the class belongs, causing a high impact on the integrity of the application.\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"shortName\": \"sap\", \"dateUpdated\": \"2022-12-13T02:27:48.081Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-41264\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-22T14:24:19.868Z\", \"dateReserved\": \"2022-09-21T16:20:14.948Z\", \"assignerOrgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"datePublished\": \"2022-12-13T02:27:48.081Z\", \"requesterUserId\": \"048f1e0a-8756-40de-bd1f-51292c7183c7\", \"assignerShortName\": \"sap\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.