SAP Security Notes Summary – April 2022
Traditionally once a month I’ll publish review all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.
SAP Component | Number | Title | CVSS Score | Released On |
---|---|---|---|---|
BC-CCM-PRN-PC | 3124994 | [CVE-2022-22534] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver | 4,7 | 26.04.2022 |
BC-MID-ICF | 3165333 | [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform | 4,7 | 26.04.2022 |
BI-BIP-ADM | 3137191 | [CVE-2022-22541] Information Disclosure vulnerability in SAP BusinessObjects Platform | 6,8 | 26.04.2022 |
XX-SER-SN | 3170990 | [CVE-2022-22965] Central Security Note for Remote Code Execution vulnerability associated with Spring Framework | 9,8 | 19.04.2022 |
CEC-COM-CPS-WEB | 3171258 | [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Commerce | 9,8 | 18.04.2022 |
IS-T-MA | 3189635 | [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Customer Profitability Analytics | 9,8 | 14.04.2022 |
IS-SE-CCO | 3187290 | [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Customer Checkout | 9,8 | 12.04.2022 |
BC-SYB-PD | 3189429 | [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in PowerDesigner Web (upto including 16.7 SP05 PL01) | 9,8 | 12.04.2022 |
BI-DEV-WEB | 3055044 | [CVE-2022-28213] Missing XML Validation vulnerability in SAP BusinessObjects Business Intelligence Platform (dswsbobje – SOAP Web services) | 5,4 | 12.04.2022 |
EP-PIN-PRT | 3163583 | [CVE-2022-26105] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal | 6,1 | 12.04.2022 |
SV-FRN-INF-SDA | 3159091 | [CVE-2022-27657] Directory Traversal vulnerability in SAP Focused Run (Simple Diagnostics Agent 1.0) | 2,7 | 12.04.2022 |
MFG-MII | 3158613 | Update 1 to Security Note 3022622 – [CVE-2021-21480] Code injection vulnerability in SAP Manufacturing Integration and Intelligence | 9,1 | 12.04.2022 |
CEC-COM-CPS | 3155609 | Privilege escalation vulnerability in Apache Tomcat server component of SAP Commerce | 7 | 12.04.2022 |
BC-WD-UR | 2978151 | Reverse tabnabbing issue in Unified Rendering based frameworks in NetWeaver Application Server Java | 4,7 | 12.04.2022 |
BC-FES-GUI | 3132633 | Information Disclosure vulnerability in SAP GUI for Windows | 5,4 | 12.04.2022 |
BI-BIP-CMC | 3130497 | [CVE-2022-27671] CSRF token visible in one of the URL in SAP Business Intelligence Platform. | 8,2 | 12.04.2022 |
BC-CST-WDP | 3111293 | [CVE-2022-28773] Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager) | 4,9 | 12.04.2022 |
BC-CST-WDP | 3111311 | [CVE-2022-28772]Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager) | 7,5 | 12.04.2022 |
CA-WUI-UI | 3101986 | Enable CSP support for OP1909 in SAP CRM WebClient UI | 4,1 | 12.04.2022 |
BC-ILM-DAS | 3152442 | [CVE-2022-27669] Missing Authentication check in XML Data Archiving Service | 5,3 | 12.04.2022 |
BI-BIP-BIW | 3150845 | [CVE-2022-28216] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI Workspace) | 4,3 | 12.04.2022 |
EP-PIN-WPC | 3148377 | [CVE-2022-28217] Missing XML Validation vulnerability in SAP NW EP WPC | 6,5 | 12.04.2022 |
BC-SYB-SQA | 3148094 | [CVE-2022-27670] Denial of service (DOS) in SQL Anywhere | 6,5 | 12.04.2022 |
BI-BIP-ADM | 3145769 | [CVE-2022-27667] Information Disclosure vulnerability in CMC | 5,3 | 12.04.2022 |
CA-VE-VEV | 3143437 | [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer | 6,5 | 12.04.2022 |
XX-PART-ADB-IFM | 3138299 | [CVE-2021-44832] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0) | 4,1 | 12.04.2022 |
BC-MID-RFC | 3128473 | [CVE-2022-22545] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform | 4,9 | 12.04.2022 |
CA-GTF-VBZ | 3126557 | [CVE-2022-28770] Cross-Site Scripting (XSS) vulnerability in SAPUI5 (vbm library) | 6,1 | 12.04.2022 |
MFG-MII | 3022622 | [CVE-2021-21480] Code injection vulnerability in SAP Manufacturing Integration and Intelligence | 9,1 | 12.04.2022 |
BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | 10 | 12.04.2022 |
CA-UI5-COR-FND | 3163703 | Multiple Vulnerabilities in URI.js bundled with SAPUI5 | 6,1 | 12.04.2022 |
BC-XS-SEC | 3189428 | [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP HANA Extended Application Services | 9,8 | 12.04.2022 |
*The characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.