CVE-2022-22532 An attacker in SAP NetWeaver Application Server Java could create a HTTP request that triggers a memory leak. The versions listed above are vulnerable.

CVE-2022-22532 An attacker in SAP NetWeaver Application Server Java could create a HTTP request that triggers a memory leak. The versions listed above are vulnerable.

This issue has been addressed in version 7.53. In version 7.22, an unauthenticated attacker could send a crafted request to get the values of certain fields and columns in the system table which could lead to information disclosure. Instead of just sending the request, an authenticated user could send the request with a valid session id. This could lead to session hijacking. This issue has been addressed in version 7.53. In versions 7.22, 7.49, 7.53, an unauthenticated attacker could issue SQL injection attacks on the application server. This could allow the attacker to execute SQL code and retrieve data that would be otherwise protected by the application server. This issue has been addressed in version 7.53. In versions 7.22, 7.49, 7.53, an unauthenticated attacker could send a crafted URL and trigger excessive CPU usage. This could lead to a denial of service condition. This issue has been addressed in version 7.53. In versions 7.22, 7.49, 7.53, an unauthenticated attacker could send a crafted URL and trigger excessive memory usage. This could lead to a denial of service condition. This issue has been addressed in version 7.53. In versions 7.22, 7.49, 7.53, an unauthenticated attacker could issue XSS attacks on the application server. This could allow the attacker to execute script code and steal potentially sensitive information. This issue has been addressed in

Mitigation Strategies:

The following mitigation strategies have been implemented:
- In version 7.53, an authenticated attacker could send a crafted request to get the values of certain fields and columns in the system table which could lead to information disclosure. Instead of just sending the request, an authenticated user could send the request with a valid session id. This could lead to session hijacking. This issue has been addressed in version 7.53.
- In versions 7.22, 7.49, 7.53, an unauthenticated attacker could issue SQL injection attacks on the application server. This could allow the attacker to execute SQL code and retrieve data that would be otherwise protected by the application server. This issue has been addressed in version 7.53

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe