CVE-2022-28213
Published: 12 April 2022
Summary
CVE-2022-28213 is a high-severity Missing XML Validation (CWE-112) vulnerability in Sap Businessobjects Business Intelligence Platform. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-28213 affects the SOAP Web services component of SAP BusinessObjects Business Intelligence Platform versions 420 and 430. The flaw stems from insufficient validation of XML documents supplied by untrusted sources, which maps to CWE-112 and permits XML injection. Successful exploitation can yield arbitrary file retrieval from the server along with denial-of-service conditions. The vulnerability carries a CVSS 3.1 base score of 8.1 reflecting network attack vector, low attack complexity, and low privileges required.
An authenticated attacker with network access can submit crafted XML payloads to the affected SOAP endpoints. This allows reading arbitrary files stored on the server and triggering service disruption, resulting in high impact to confidentiality and availability while integrity remains unaffected.
SAP addresses the issue in note 3055044 and the associated February 2022 security patch release. Public proof-of-concept material has been posted to Packet Storm, and the EPSS score has remained in the 0.12–0.15 range without a pronounced post-disclosure climb.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-32667
Vulnerability details
When a user access SOAP Web services in SAP BusinessObjects Business Intelligence Platform - version 420, 430, it does not sufficiently validate the XML document accepted from an untrusted source, which might result in arbitrary files retrieval from the server…
more
and in successful exploits of DoS.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.