Vulnerability Details : CVE-2022-22528
SAP Adaptive Server Enterprise (ASE) - version 16.0, installation makes an entry in the system PATH environment variable in Windows platform which, under certain conditions, allows a Standard User to execute malicious Windows binaries which may lead to privilege escalation on the local system. The issue is with the ASE installer and does not impact other ASE binaries.
Vulnerability category: Gain privilege
Products affected by CVE-2022-22528
- cpe:2.3:a:sap:adaptive_server_enterprise:16.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-22528
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 10 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-22528
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.4
|
MEDIUM | AV:L/AC:M/Au:N/C:P/I:P/A:P |
3.4
|
6.4
|
NIST | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2022-22528
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: cna@sap.com (Secondary)
-
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.Assigned by:
- cna@sap.com (Primary)
- nvd@nist.gov (Secondary)
References for CVE-2022-22528
-
https://launchpad.support.sap.com/#/notes/3140564
SAP ONE Support Launchpad: Log OnPermissions Required;Vendor Advisory
-
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
SAP Patch Day BlogVendor Advisory
Jump to