Cyber Resilience

CVE-2022-28213

HighPublic PoC

Published: 12 April 2022

Published
12 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.1262 94.1th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-28213 is a high-severity Missing XML Validation (CWE-112) vulnerability in Sap Businessobjects Business Intelligence Platform. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-28213 affects the SOAP Web services component of SAP BusinessObjects Business Intelligence Platform versions 420 and 430. The flaw stems from insufficient validation of XML documents supplied by untrusted sources, which maps to CWE-112 and permits XML injection. Successful exploitation can yield arbitrary file retrieval from the server along with denial-of-service conditions. The vulnerability carries a CVSS 3.1 base score of 8.1 reflecting network attack vector, low attack complexity, and low privileges required.

An authenticated attacker with network access can submit crafted XML payloads to the affected SOAP endpoints. This allows reading arbitrary files stored on the server and triggering service disruption, resulting in high impact to confidentiality and availability while integrity remains unaffected.

SAP addresses the issue in note 3055044 and the associated February 2022 security patch release. Public proof-of-concept material has been posted to Packet Storm, and the EPSS score has remained in the 0.12–0.15 range without a pronounced post-disclosure climb.

EU & UK References

Vulnerability details

When a user access SOAP Web services in SAP BusinessObjects Business Intelligence Platform - version 420, 430, it does not sufficiently validate the XML document accepted from an untrusted source, which might result in arbitrary files retrieval from the server…

more

and in successful exploits of DoS.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sap
businessobjects business intelligence platform
420, 430

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References