CVE-2022-35168 (Denial of Service vulnerability in SAP Business one Version – 10.0 product of SAP SE)

Description 

 

The security team of Green Tick Nepal Pvt. Ltd. located in Kathmandu, Nepal discovered a Denial of Service vulnerability in SAP Business one Version – 10.0 product of SAP SE. Due to improper input sanitization of XML input in SAP Business One – version 10.0, an attacker can perform a denial-of-service attack rendering the system temporarily inoperative. This vulnerability has been classified as problematic and categorized as exploitable. The CWE definition for vulnerability is CWE-611. 

 

Impact 

SAP Business one Version – 10.0 software processes an XML file that can have XML entities with URIs that fix to files outside of the supposed sphere of control, causing the product to embed wrong files into its output. This Vulnerability has left more than 100k Android users affected. 

 

Proof of Concept 

The Security Team of Green Tick Nepal Pvt. Ltd. has not published a Proof of Concept (POC) for SAP Business One – version 10.0.  

 

Solution 

CVE-ID	Description	Products
CVE-2022-35168	Denial of Service vulnerability in SAP Business One	SAP Business One – version 10.0

 

Responsible Disclosure Time 

Date	Remarks
12th July 2022	CVE Published    CVE-2022-35168
12th Oct 2022	Advisory Planned Date

 

 

References 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35168  

https://nvd.nist.gov/vuln/detail/CVE-2022-35168  

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html