CVE-2022-41268
First published: Tue Dec 13 2022(Updated: )
In some SAP standard roles in SAP Business Planning and Consolidation - versions - SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300, CPMBPC 810, a transaction code reserved for the customer is used. By implementing such transaction code, a malicious user may execute unauthorized transaction functionality. Under specific circumstances, a successful attack could enable an adversary to escalate their privileges to be able to read, change or delete system data.
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP Business Planning and Consolidation | =200 | |
| SAP Business Planning and Consolidation | =300 | |
| SAP Business Planning and Consolidation | =750 | |
| SAP Business Planning and Consolidation | =751 | |
| SAP Business Planning and Consolidation | =752 | |
| SAP Business Planning and Consolidation | =753 | |
| SAP Business Planning and Consolidation | =754 | |
| SAP Business Planning and Consolidation | =755 | |
| SAP Business Planning and Consolidation | =756 | |
| SAP Business Planning and Consolidation | =757 | |
| SAP Business Planning and Consolidation | =810 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-41268?
CVE-2022-41268 is a medium severity vulnerability that allows unauthorized transaction execution in certain SAP Business Planning and Consolidation roles.
How do I mitigate CVE-2022-41268?
To mitigate CVE-2022-41268, apply the recommended SAP security patches and restrict access to sensitive transaction codes.
Who is affected by CVE-2022-41268?
CVE-2022-41268 affects users of SAP Business Planning and Consolidation versions 200, 300, and versions from 750 to 757.
What actions can a malicious user take with CVE-2022-41268?
A malicious user can exploit CVE-2022-41268 to execute unauthorized transactions within the SAP Business Planning and Consolidation environment.
Is CVE-2022-41268 a local or remote attack vector?
CVE-2022-41268 is primarily a local attack vector requiring access to the SAP Business Planning and Consolidation system.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/event
- agent/description
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/sap
- canonical/sap business planning and consolidation
- version/sap business planning and consolidation/200
- version/sap business planning and consolidation/300
- version/sap business planning and consolidation/750
- version/sap business planning and consolidation/751
- version/sap business planning and consolidation/752
- version/sap business planning and consolidation/753
- version/sap business planning and consolidation/754
- version/sap business planning and consolidation/755
- version/sap business planning and consolidation/756
- version/sap business planning and consolidation/757
- version/sap business planning and consolidation/810