SAP Security Notes Summary – December 2022
Traditionally once a month I’ll publish review all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.
SAP Component | Number | Title | CVSS Score | Released On |
---|---|---|---|---|
BC-XI-CON-MSG | 3267780 | [CVE-2022-41271] Improper access control in SAP NetWeaver AS Java (Messaging System) | 9,4 | 23.12.2022 |
BC-XI-CON-UDS | 3273480 | [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search) | 9,9 | 23.12.2022 |
BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | 10 | 13.12.2022 |
SV-SMG-DIA-SRV-AGT | 3265173 | [CVE-2022-41261] Improper Access Control in SAP Solution Manager (Diagnostic Agent) | 6 | 13.12.2022 |
BC-BSP | 3258950 | Update 1 to Security Note 2872782 – [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP (BSP Test Application) | 6,1 | 13.12.2022 |
BC-EIM-ESH | 3271313 | [CVE-2022-41275] Open redirect in SAP Solution Manager (Enterprise Search) | 6,1 | 13.12.2022 |
BI-BIP-SRV | 3239475 | [CVE-2022-41267] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform | 9,9 | 13.12.2022 |
EPM-DSM-GEN | 3266846 | [CVE-2022-41274] Missing Authorization Checks in SAP Disclosure Management | 6,5 | 13.12.2022 |
BC-JAS-WEB | 3262544 | [CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider Service) | 6,1 | 13.12.2022 |
CEC-COM-CPS | 3248255 | [CVE-2022-41266] Cross-Site Scripting (XSS) vulnerability in SAP Commerce | 8 | 13.12.2022 |
BI-RA-WBI | 3249648 | [CVE-2022-41263] Missing authentication check vulnerability in SAP Business Objects Business Intelligence Platform (Web intelligence) | 4,3 | 13.12.2022 |
CEC-COM-CPS-COR | 3271523 | Remote Code Execution vulnerability associated with Apache Commons Text in SAP Commerce | 9,8 | 13.12.2022 |
EPM-BPC-NW | 3271091 | [CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation | 8,5 | 13.12.2022 |
BC-DB-HDB-POR | 3268172 | [CVE-2022-41264] Code Injection vulnerability in SAP BASIS | 8,8 | 13.12.2022 |
SRM-ESO-SEC | 3270399 | [CVE-2022-41273] URL Redirection vulnerability in SAP Sourcing and SAP Contract Lifecycle Management | 4,3 | 13.12.2022 |
BC-BSP | 2872782 | [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP – Business Server Pages Test Application IT00 | 6,1 | 13.12.2022 |
CA-MDG-APP-CUS | 3234755 | Information Disclosure vulnerability in Master Data Governance | 4,3 | 13.12.2022 |
BI-BIP-ADM | 3229132 | [CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects) | 8,2 | 13.12.2022 |
*The characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes