SAP Security Notes Summary – March 2022
Traditionally once a month I’ll publish review all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.
SAP Component | Number | Title | CVSS Score | Released On |
---|---|---|---|---|
PLM-INM | 3165856 | [CVE-2022-27658] Missing authorization check in SAP Innovation Management | 4,3 | 28.03.2022 |
LO-MD-BP | 3142092 | [CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer) | 6,5 | 22.03.2022 |
BC-CST-IC | 3123396 | [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher | 10 | 22.03.2022 |
BC-CST-IC | 3123427 | [CVE-2022-22532] HTTP Request Smuggling in SAP NetWeaver Application Server Java | 8,1 | 22.03.2022 |
BC-CST-WDP | 3080567 | [CVE-2021-38162] HTTP Request Smuggling in SAP Web Dispatcher | 8,9 | 22.03.2022 |
BC-CST | 3116223 | [CVE-2022-22543] Denial of service (DOS) in SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel) | 3,7 | 22.03.2022 |
FIN-FSCM-PF | 3104349 | Missing authorization check in S/4HANA finance for advanced payment management | 3,3 | 22.03.2022 |
CA-FLP-FE-COR | 3149805 | [CVE-2022-26101] Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad | 8,2 | 22.03.2022 |
FI-LOC-SRF-RUN | 2784596 | Cross-Site Request Forgery (CSRF) vulnerability in Run Compliance Report | 4,2 | 08.03.2022 |
XX-SER-SN | 3131047 | [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component | 10 | 08.03.2022 |
EP-PIN-RTM | 3132360 | [CVE-2022-26103] Information Disclosure vulnerability in SAP NetWeaver(Real Time Messaging Framework) | 3,7 | 08.03.2022 |
BC-INS-TLS | 3111110 | [CVE-2022-26100] Denial of service (DOS) in SAPCAR | 4,8 | 08.03.2022 |
BI-BIP-SL-ENG-OLA | 3103424 | [CVE-2022-24398] Information Disclosure vulnerability in SAP Business Objects Business Intelligence Platform | 5 | 08.03.2022 |
MOB-SYC-SAP-WM | 3154684 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Work Manager | 10 | 08.03.2022 |
SV-FRN-APP-RUM | 3147283 | [CVE-2022-24399] Cross-Site Scripting (XSS) vulnerability in SAP Focused Run (Real User Monitoring) | 5,4 | 08.03.2022 |
SV-FRN-INF-SDA | 3147102 | [CVE-2022-22547] Information Disclosure vulnerability in SAP Focused Run (Simple Diagnostics Agent 1.0) | 5,3 | 08.03.2022 |
EP-PIN-NAV | 3146261 | [CVE-2022-24395] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal | 6,1 | 08.03.2022 |
BC-ABA-SC | 3145997 | [CVE-2022-26102] Missing authorization check in SAP NetWeaver Application Server for ABAP | 5,4 | 08.03.2022 |
SV-FRN-INF-SDA | 3145987 | [CVE-2022-24396] Missing Authentication check in SAP Focused Run (Simple Diagnostics Agent 1.0) | 9,3 | 08.03.2022 |
EPM-BFC-PSI-INS | 3144941 | [CVE-2022-26104] Missing Authorization check in SAP Financial Consolidation | 5,4 | 08.03.2022 |
BC-JAS-WEB | 1753378 | Directory traversal in Web Container | 5,3 | 08.03.2022 |
EP-PIN-NAV | 3146260 | [CVE-2022-24397] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal | 6,1 | 08.03.2022 |
*The characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.