Vulnerability Description
Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP Platform - versions KERNEL 7.49, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.49, KRNL64UC 7.49, SAP_ROUTER 7.53, 7.22, from a remote client, for example stopping the SAProuter, that could highly impact systems availability.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sap | Netweaver As Abap | kernel_7.49 |
| Sap | Netweaver As Abap Krnl64Nuc | 7.49 |
| Sap | Netweaver As Abap Krnl64Uc | 7.49 |
| Sap | Router | 7.22 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/168406/SAP-SAProuter-Improper-Access-ControExploitThird Party Advisory
- http://seclists.org/fulldisclosure/2022/Sep/17ExploitMailing ListThird Party Advisory
- https://launchpad.support.sap.com/#/notes/3158375Permissions RequiredVendor Advisory
- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlVendor Advisory
- http://packetstormsecurity.com/files/168406/SAP-SAProuter-Improper-Access-ControExploitThird Party Advisory
- http://seclists.org/fulldisclosure/2022/Sep/17ExploitMailing ListThird Party Advisory
- https://launchpad.support.sap.com/#/notes/3158375Permissions RequiredVendor Advisory
- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlVendor Advisory
FAQ
What is CVE-2022-27668?
CVE-2022-27668 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP...
How severe is CVE-2022-27668?
CVE-2022-27668 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-27668?
Check the references section above for vendor advisories and patch information. Affected products include: Sap Netweaver As Abap, Sap Netweaver As Abap Krnl64Nuc, Sap Netweaver As Abap Krnl64Uc, Sap Router.