CVE-2022-28217 — Vulnetix

CVE-2022-28217 PUBLISHED CVSS 6.5 MEDIUM

Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system’s Availability by causing system to crash.

EPSS 0.26% · 49.2th percentile

Risk Scores

CVSS v3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score

0.26%

49.2th percentile

Affected Products

Vendor	Product	Versions
sap	netweaver	7.30, 7.20, 7.31
SAP SE	SAP NetWeaver (EP Web Page Composer)	7.20, 7.30, 7.31

Timeline

Apr 7, 2022 PoC Published
Apr 13, 2022 CVE Published
Jun 14, 2022 EPSS Score
Aug 2, 2022 EPSS Score
Sep 19, 2022 EPSS Score
Nov 6, 2022 EPSS Score
Dec 24, 2022 EPSS Score
Feb 10, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Mar 30, 2023 EPSS Score
May 17, 2023 EPSS Score
Jul 4, 2023 EPSS Score

References

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html url
https://launchpad.support.sap.com/#/notes/3148377 url
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10 advisory
https://nvd.nist.gov/vuln/detail/CVE-2022-28217 advisory

Open in Interactive Console →