CVE-2022-29612
MEDIUMSAP Host Agent and NetWeaver ABAP - Authenticated Server-Side Request Forgery via sapcontrol startservice
Title source: llmDescription
SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, 8.04, SAPHOSTAGENT 7.22, allows an authenticated user to misuse a function of sapcontrol webfunctionality(startservice) in Kernel which enables malicious users to retrieve information. On successful exploitation, an attacker can obtain technical information like system number or physical address, which is otherwise restricted, causing a limited impact on the confidentiality of the application.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Permissions Required, Vendor Advisory x_refsource_misc
https://launchpad.support.sap.com/#/notes/3194674
Scores
CVSS v3
4.3
EPSS
0.0015
EPSS Percentile
34.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-918
Status
published
Products (18)
sap/host_agent
7.22
sap/netweaver_abap
kernel_7.22
sap/netweaver_abap
kernel_7.49
sap/netweaver_abap
kernel_7.53
sap/netweaver_abap
kernel_7.77
sap/netweaver_abap
kernel_7.81
sap/netweaver_abap
kernel_7.85
sap/netweaver_abap
kernel_7.86
sap/netweaver_abap
kernel_7.87
sap/netweaver_abap
kernel_7.88
... and 8 more
Published
Jun 14, 2022
Tracked Since
Feb 18, 2026