SAP Security Notes Summary – December 2023
Traditionally once a month I’ll publish a review of all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.
SAP Component | Number | Title | CVSS Score | Released On |
---|---|---|---|---|
BC-CP-CF-SEC-LIB | 3411067 | [Multiple CVEs] Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries | 9,1 | 13.12.2023 |
SV-SMG-IMP | 3395306 | [CVE-2023-49587] Command Injection vulnerability in SAP Solution Manager | 6,4 | 12.12.2023 |
CA-UI5-COR-FND | 3159329 | Denial of service (DoS) vulnerability in JSZip library bundled within SAPUI5 | 5,3 | 12.12.2023 |
CA-MDG-ML | 3363690 | [CVE-2023-49058] Directory Traversal vulnerability in SAP Master Data Governance | 3,5 | 12.12.2023 |
CEC-EMA | 3406244 | [CVE-2023-6542] Missing Authorization Check in SAP EMARSYS SDK ANDROID | 7,1 | 12.12.2023 |
CA-FLP-ABA | 3406786 | [CVE-2023-49584] Client-Side Desynchronization vulnerability in SAP Fiori Launchpad | 4,3 | 12.12.2023 |
BC-CCM-MON-ORA | 3392547 | [CVE-2023-49581] SQL Injection vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform | 4,1 | 12.12.2023 |
BC-FES-GUI | 3385711 | [CVE-2023-49580] Information disclosure vulnerability in SAP GUI for WIndows and SAP GUI for Java | 7,3 | 12.12.2023 |
PY-IE | 3217087 | [CVE-2023-49577] Cross-Site Scripting (XSS) vulnerability in the SAP HCM (SMART PAYE solution) | 6,1 | 12.12.2023 |
BI-BIP-ADM | 3382353 | [CVE-2023-42478] Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform | 7,5 | 12.12.2023 |
IS-OIL-DS-HPM | 3399691 | Update 1 to 3350297 – [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) | 9,1 | 12.12.2023 |
BC-MID-SCC | 3362463 | [CVE-2023-49578] Denial of service (DOS) in SAP Cloud Connector | 3,5 | 12.12.2023 |
CEC-COM-CPS | 3394567 | [CVE-2023-42481] Improper Access Control Vulnerability in SAP Commerce Cloud | 8,1 | 12.12.2023 |
FIN-FSCM-BD | 3383321 | [CVE-2023-42479] Cross-Site Scripting (XSS) vulnerability in SAP Biller Direct | 6,1 | 12.12.2023 |
BI-RA-WBI-FE | 3369353 | [CVE-2023-42476] Cross Site Scripting vulnerability in SAP BusinessObjects Web Intelligence | 6,8 | 12.12.2023 |
BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | 10 | 12.12.2023 |
IS-OIL-DS-HPM | 3350297 | [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) | 9,1 | 12.12.2023 |
*The characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.