SAP Security Notes Summary – June 2022
Traditionally once a month I’ll publish review all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.
| SAP Component | Number | Title | CVSS Score | Released On |
|---|---|---|---|---|
| LO-MD-BP | 3142092 | [CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer) | 6,5 | 29.06.2022 |
| IS-A | 2726124 | Missing Authorization Check in multiple components under SAP Automotive Solutions | 6,3 | 28.06.2022 |
| BC-JAS-ADM-ADM | 3147498 | Improper Access Control check in SAP NetWeaver basicadmin and adminadapter services | 7,4 | 28.06.2022 |
| BC-ABA-LI | 3165801 | [CVE-2022-29611] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform | 6,5 | 28.06.2022 |
| BC-DB-SYB | 3155571 | [CVE-2022-31594] Privilege escalation vulnerability in SAP Adaptive Server Enterprise (ASE) | 3,2 | 28.06.2022 |
| BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | 10 | 14.06.2022 |
| CA-VE-VEV | 3206271 | [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer | 6,5 | 14.06.2022 |
| EPM-BFC-PRO | 3158815 | [CVE-2022-31595] Privilege escalation vulnerability in SAP Financial Consolidation | 5 | 14.06.2022 |
| BC-CST-STS | 3158619 | [CVE-2022-29614] Privilege Escalation in SAP startservice of SAP NetWeaver AS ABAP, AS Java, ABAP Platform and HANA Database | 4,9 | 14.06.2022 |
| BC-CST-NI | 3158375 | [CVE-2022-27668] Improper Access Control of SAProuter for SAP NetWeaver and ABAP Platform | 8,6 | 14.06.2022 |
| PY-BR | 3134161 | Missing Authorization check in SAP ERP HCM | 6,5 | 14.06.2022 |
| BC-DWB-JAV-COR | 3202846 | [CVE-2022-29615] Multiple vulnerabilities associated with Apache log4j 1.x component in SAP NetWeaver Developer Studio (NWDS) | 3,4 | 14.06.2022 |
| BC-CTS-DTR | 3197927 | [CVE-2022-29618] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Design Time Repository) | 6,1 | 14.06.2022 |
| BC-SYB-PD | 3197005 | [CVE-2022-31590] Potential privilege escalation in SAP PowerDesigner Proxy 16.7 | 7,8 | 14.06.2022 |
| BC-CST-STS | 3194674 | [CVE-2022-29612] Server-Side Request Forgery in SAP NetWeaver, ABAP Platform and SAP Host Agent | 5 | 14.06.2022 |
| FI-LOC-FI-IL-AP | 3203065 | [CVE-2022-31589] Segregation of Duty vulnerability in IL FI-AP File from SHAAM program. | 5 | 14.06.2022 |
| FIN-FSCM-PF | 3104349 | Missing authorization check in S/4HANA finance for advanced payment management | 3,3 | 14.06.2022 |
| CEC-MKT-CPG | 3191812 | Cross-Site Scripting (XSS) vulnerability in SAP Marketing Campaigns App | 3,7 | 14.06.2022 |
| CEC-MKT-CPG | 3190675 | Unsafe use of target blank in SAP Marketing Campaigns. | 3,7 | 14.06.2022 |
*The characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.