CVE-2022-27670
CVE-2022-27670 is a medium-severity vulnerability in Sap Sql Anywhere with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-99.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v2: 4.0
- EPSS exploit prediction: 1% (56th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-99
- Affected product: Sap Sql Anywhere
- Published:
- Last modified:
Description
SAP SQL Anywhere - version 17.0, allows an authenticated attacker to prevent legitimate users from accessing a SQL Anywhere database server by crashing the server with some queries that use indirect identifiers.
Frequently asked questions
- What is CVE-2022-27670?
- SAP SQL Anywhere - version 17.0, allows an authenticated attacker to prevent legitimate users from accessing a SQL Anywhere database server by crashing the server with some queries that use indirect identifiers.
- How severe is CVE-2022-27670?
- CVE-2022-27670 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2022-27670 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (56th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-27670?
- CVE-2022-27670 affects Sap Sql Anywhere. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-27670?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2022-27670 published?
- CVE-2022-27670 was published on 2022-04-12 and last updated on 2026-06-17.
References
- https://launchpad.support.sap.com/#/notes/3148094
- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Affected products (1)
- cpe:2.3:a:sap:sql_anywhere:17.0:*:*:*:*:*:*:*
More vulnerabilities in Sap Sql Anywhere
- CVE-2022-35299 — Critical (CVSS 9.8): SAP SQL Anywhere - version 17.0, and SAP IQ - version 16.1, allows an attacker to leverage logical errors in memory…
- CVE-2023-33990 — High (CVSS 7.8): SAP SQL Anywhere - version 17.0, allows an attacker to prevent legitimate users from accessing the service by crashing…
- CVE-2014-9264 — High (CVSS 7.5): Stack-based buffer overflow in the .NET Data Provider in SAP SQL Anywhere allows remote attackers to execute arbitrary…
- CVE-2022-41259 — Medium (CVSS 6.5): SAP SQL Anywhere - version 17.0, allows an authenticated attacker to prevent legitimate users from accessing a SQL…
- CVE-2019-0381 — Medium (CVSS 5.5): A binary planting in SAP SQL Anywhere, before version 17.0, SAP IQ, before version 16.1, and SAP Dynamic Tier, before…
- CVE-2015-2819 — Medium (CVSS 5.0): SAP Sybase SQL Anywhere 11 and 16 allows remote attackers to cause a denial of service (crash) via a crafted request,…
All CVEs affecting Sap Sql Anywhere →
Other CWE-99 vulnerabilities
- CVE-2025-43491 — Critical (CVSS 9.8): A vulnerability in the Poly Lens Desktop application running on the Windows platform might allow modifications to the…
- CVE-2017-5159 — Critical (CVSS 9.8): An issue was discovered on Phoenix Contact mGuard devices that have been updated to Version 8.4.0. When updating an…
- CVE-2025-2410 — Critical (CVSS 9.1): Port manipulation vulnerabilities in ASPECT provide attackers with the ability to con-trol TCP/IP port access if…
- CVE-2025-0756 — Critical (CVSS 9.1): Overview The product receives input from an upstream component, but it does not restrict or incorrectly…
- CVE-2024-57971 — Critical (CVSS 9.1): DataSourceResource.java in the SpagoBI API support in Knowage Server in KNOWAGE before 8.1.30 does not ensure that…
- CVE-2024-5706 — High (CVSS 8.8): The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input…