Skip to Content
Aug 04, 2022 at 02:58 PM

Is SAP BI 4.3 SP 2 Patch 3 vulnerable to CVE-2022-34305


Question, CVE-2022-34305 is not listed in the VCE's that SAP BI is not vulnerable to. Is SAP BI 4.3 SP 2 Patch 3 vulnerable to this? The referenced version of Apache Tomcat is one of the vulnerable versions.

Finding details:

The version of Tomcat installed on the remote host is prior to 9.0.65. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.65_security-9 advisory.

- In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. (CVE-2022-34305)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.