CVE-2022-32246 - Vulnerability Details

Vendors	Products
Sap	Business Objects Business Intelligence Platform

Link	Providers
https://launchpad.support.sap.com/#/notes/3203079
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "SAP BusinessObjects Business Intelligence Platform (Visual Difference Application)", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "420"}, {"status": "affected", "version": "430"}]}], "descriptions": [{"lang": "en", "value": "SAP Busines Objects Business Intelligence Platform (Visual Difference Application) - versions 420, 430, allows an authenticated attacker who has access to BI admin console to send crafted queries and extract data from the SQL backend. On successful exploitation, the attacker can cause limited impact on confidentiality and integrity of the application"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-12T20:26:21", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/3203079"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2022-32246", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP BusinessObjects Business Intelligence Platform (Visual Difference Application)", "version": {"version_data": [{"version_affected": "=", "version_value": "420"}, {"version_affected": "=", "version_value": "430"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SAP Busines Objects Business Intelligence Platform (Visual Difference Application) - versions 420, 430, allows an authenticated attacker who has access to BI admin console to send crafted queries and extract data from the SQL backend. On successful exploitation, the attacker can cause limited impact on confidentiality and integrity of the application"}]}, "impact": {"cvss": {"baseScore": "null", "vectorString": "null", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89"}]}]}, "references": {"reference_data": [{"name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "refsource": "MISC", "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}, {"name": "https://launchpad.support.sap.com/#/notes/3203079", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/3203079"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:39:50.334Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/3203079"}]}]}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2022-32246", "datePublished": "2022-07-12T20:26:21", "dateReserved": "2022-06-02T00:00:00", "dateUpdated": "2024-08-03T07:39:50.334Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : SAP BusinessObjects Business Intelligence Platform (Visual Difference Application) (string)

vendor : SAP SE (string)

versions : [ »

0 : { »

status : affected (string)

version : 420 (string)

}

1 : { »

status : affected (string)

version : 430 (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : SAP Busines Objects Business Intelligence Platform (Visual Difference Application) - versions 420, 430, allows an authenticated attacker who has access to BI admin console to send crafted queries and extract data from the SQL backend. On successful exploitation, the attacker can cause limited impact on confidentiality and integrity of the application (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-89 (string)

description : CWE-89 (string)

lang : en (string)

type : CWE (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2022-07-12T20:26:21 (string)

orgId : e4686d1a-f260-4930-ac4c-2f5c992778dd (string)

shortName : sap (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://launchpad.support.sap.com/#/notes/3203079 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : cna@sap.com (string)

ID : CVE-2022-32246 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : SAP BusinessObjects Business Intelligence Platform (Visual Difference Application) (string)

version : { »

version_data : [ »

0 : { »

version_affected : = (string)

version_value : 420 (string)

}

1 : { »

version_affected : = (string)

version_value : 430 (string)

}

]

}

]

}

vendor_name : SAP SE (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : SAP Busines Objects Business Intelligence Platform (Visual Difference Application) - versions 420, 430, allows an authenticated attacker who has access to BI admin console to send crafted queries and extract data from the SQL backend. On successful exploitation, the attacker can cause limited impact on confidentiality and integrity of the application (string)

}

]

}

impact : { »

cvss : { »

baseScore : null (string)

vectorString : null (string)

version : 3.0 (string)

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : CWE-89 (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html (string)

refsource : MISC (string)

url : https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html (string)

}

1 : { »

name : https://launchpad.support.sap.com/#/notes/3203079 (string)

refsource : MISC (string)

url : https://launchpad.support.sap.com/#/notes/3203079 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-03T07:39:50.334Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://launchpad.support.sap.com/#/notes/3203079 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : e4686d1a-f260-4930-ac4c-2f5c992778dd (string)

assignerShortName : sap (string)

cveId : CVE-2022-32246 (string)

datePublished : 2022-07-12T20:26:21 (string)

dateReserved : 2022-06-02T00:00:00 (string)

dateUpdated : 2024-08-03T07:39:50.334Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:business_objects_business_intelligence_platform:420:*:*:*:*:*:*:*", "matchCriteriaId": "1F7F8064-45BC-4A01-897A-0A2893BBBEC0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:business_objects_business_intelligence_platform:430:*:*:*:*:*:*:*", "matchCriteriaId": "6EB0EFA3-8AD2-42F2-86E1-A62ECF8340E3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SAP Busines Objects Business Intelligence Platform (Visual Difference Application) - versions 420, 430, allows an authenticated attacker who has access to BI admin console to send crafted queries and extract data from the SQL backend. On successful exploitation, the attacker can cause limited impact on confidentiality and integrity of the application"}, {"lang": "es", "value": "SAP Busines Objects Business Intelligence Platform (Visual Difference Application) - versiones 420, 430, permite a un atacante autenticado que tenga acceso a la consola de administraci\u00f3n de BI enviar consultas dise\u00f1adas y extraer datos del backend SQL. Si es explotado con \u00e9xito, el atacante puede causar un impacto limitado en la confidencialidad e integridad de la aplicaci\u00f3n"}], "id": "CVE-2022-32246", "lastModified": "2024-11-21T07:06:00.500", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-12T21:15:10.427", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/3203079"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/3203079"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "cna@sap.com", "type": "Secondary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:sap:business_objects_business_intelligence_platform:420:*:*:*:*:*:*:* (string)

matchCriteriaId : 1F7F8064-45BC-4A01-897A-0A2893BBBEC0 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:sap:business_objects_business_intelligence_platform:430:*:*:*:*:*:*:* (string)

matchCriteriaId : 6EB0EFA3-8AD2-42F2-86E1-A62ECF8340E3 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : SAP Busines Objects Business Intelligence Platform (Visual Difference Application) - versions 420, 430, allows an authenticated attacker who has access to BI admin console to send crafted queries and extract data from the SQL backend. On successful exploitation, the attacker can cause limited impact on confidentiality and integrity of the application (string)

}

1 : { »

lang : es (string)

value : SAP Busines Objects Business Intelligence Platform (Visual Difference Application) - versiones 420, 430, permite a un atacante autenticado que tenga acceso a la consola de administración de BI enviar consultas diseñadas y extraer datos del backend SQL. Si es explotado con éxito, el atacante puede causar un impacto limitado en la confidencialidad e integridad de la aplicación (string)

}

]

id : CVE-2022-32246 (string)

lastModified : 2024-11-21T07:06:00.500 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : MEDIUM (string)

accessVector : NETWORK (string)

authentication : SINGLE (string)

availabilityImpact : NONE (string)

baseScore : 4.9 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:M/Au:S/C:P/I:P/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 6.8 (number)

impactScore : 4.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : true (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 4.6 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : LOW (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 2.1 (number)

impactScore : 2.5 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2022-07-12T21:15:10.427 (string)

references : [ »

0 : { »

source : cna@sap.com (string)

tags : [ »

0 : Permissions Required (string)

1 : Vendor Advisory (string)

]

url : https://launchpad.support.sap.com/#/notes/3203079 (string)

}

1 : { »

source : cna@sap.com (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html (string)

}

2 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Permissions Required (string)

1 : Vendor Advisory (string)

]

url : https://launchpad.support.sap.com/#/notes/3203079 (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html (string)

}

]

sourceIdentifier : cna@sap.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-89 (string)

}

]

source : cna@sap.com (string)

type : Secondary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object