CVE-2022-35168 (Denial of Service vulnerability in SAP Business one Version – 10.0 product of SAP SE)
Description
The security team of Green Tick Nepal Pvt. Ltd. located in Kathmandu, Nepal discovered a Denial of Service vulnerability in SAP Business one Version – 10.0 product of SAP SE. Due to improper input sanitization of XML input in SAP Business One – version 10.0, an attacker can perform a denial-of-service attack rendering the system temporarily inoperative. This vulnerability has been classified as problematic and categorized as exploitable. The CWE definition for vulnerability is CWE-611.
Impact
SAP Business one Version – 10.0 software processes an XML file that can have XML entities with URIs that fix to files outside of the supposed sphere of control, causing the product to embed wrong files into its output. This Vulnerability has left more than 100k Android users affected.
Proof of Concept
The Security Team of Green Tick Nepal Pvt. Ltd. has not published a Proof of Concept (POC) for SAP Business One – version 10.0.
Solution
| CVE-ID | Description | Products |
| CVE-2022-35168 | Denial of Service vulnerability in SAP Business One | SAP Business One – version 10.0 |
Responsible Disclosure Time
| Date | Remarks |
| 12th July 2022 | CVE Published
CVE-2022-35168 |
| 12th Oct 2022 | Advisory Planned Date |
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35168
https://nvd.nist.gov/vuln/detail/CVE-2022-35168
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
