A note with CVSS 4.2 for component KM-SEN-MGR was released by SAP on 09.08.2022. The correction/advisory 3210566 was described with "[CVE-2022-35293] Missing authorization check in SAP Enable Now Manager" and affects the system type SAP Enable Now.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as monthly patch process.
The vulnerability addressed is missing authentication check within SAP Enable Now.
Risk specificationSAP Enable Now allows an unauthenticated attacker to access user accounts, resulting in vulnerability to information disclosure.
SAP Enable Now sanitizes now properly all scenarios leading to an unauthorized and invalid session requests.
SAP Enable Now provides the knowledge your employees need to succeed exactly where and when it’s needed. The product exists for on-premise and cloud applications. A security guide is provided for each facet of the SAP Enable Now product.
The advisory is valid for
- 10.0 [CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring)
- 10.0 [CVE-2020-26829] Missing Authentication Check in SAP NetWeaver AS JAVA (P2P Cluster Communication)
- 9.8 [CVE-2020-6198] Missing Authentication check in SAP Solution Manager (Diagnostics Agent)
- 9.4 [CVE-2023-0017] Improper access control in SAP NetWeaver AS for Java
- 9.0 [CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform