SAP Security Notes Summary – March 2023
Traditionally once a month I’ll publish review all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.
SAP Component | Number | Title | CVSS Score | Released On |
---|---|---|---|---|
BC-CST-WDP | 3000663 | [CVE-2021-33683] HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager | 5,4 | 28.03.2023 |
BC-XI-CON-UDS | 3273480 | [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search) | 9,9 | 28.03.2023 |
FI-TV-ODT-MTR | 3290901 | [CVE-2023-24528] Missing Authorization Check in SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) | 6,5 | 28.03.2023 |
BC-DWB-TOO-TDF | 3289844 | [CVE-2023-25615] SQL Injection vulnerability in SAP ABAP Platform | 6,8 | 14.03.2023 |
BI-BIP-CMC | 3245526 | [CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) | 9,9 | 14.03.2023 |
BI-BIP-SRV | 3283438 | [CVE-2023-25617] OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server) | 9 | 14.03.2023 |
BC-IAM-SSO-OTP | 3302710 | [CVE-2023-27895] Information Disclosure vulnerability in SAP Authenticator for Android | 6,1 | 14.03.2023 |
BC-MID-ICF | 3296328 | [CVE-2023-27270] Denial of Service (DoS) in SAP NetWeaver AS for ABAP and ABAP Platform | 6,5 | 14.03.2023 |
BC-CTS-TMS | 3294954 | [CVE-2023-27501] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform | 8,7 | 14.03.2023 |
BC-CST-EQ | 3252433 | [CVE-2023-23857] Improper Access Control in SAP NetWeaver AS for Java | 9,9 | 14.03.2023 |
BC-CCM-PRN | 3294595 | [CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform | 9,6 | 14.03.2023 |
BC-MID-ICF | 3296346 | [CVE-2023-26459] Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform | 7,4 | 14.03.2023 |
BC-SRV-KPR-CS | 3281484 | [CVE-2023-26457] Cross-Site Scripting (XSS) vulnerability in SAP Content Server | 6,1 | 14.03.2023 |
BC-CCM-PRN-PC | 3274920 | [CVE-2023-0021] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver | 6,1 | 14.03.2023 |
BC-DOC-RIT | 3302162 | [CVE-2023-27500] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform | 9,6 | 14.03.2023 |
EP-PIN-PSL | 3284550 | [CVE-2023-26461] XML External Entity (XXE) vulnerability in SAP NetWeaver (SAP Enterprise Portal) | 6,8 | 14.03.2023 |
SV-SMG-SDD | 3296476 | [CVE-2023-27893] Arbitrary Code Execution in SAP Solution Manager and ABAP managed systems (ST-PI) | 8,8 | 14.03.2023 |
BC-CCM-MON-OS | 3275727 | [CVE-2023-27498] Memory Corruption vulnerability in SAPOSCOL | 7,2 | 14.03.2023 |
BI-BIP-INV | 3287120 | [Multiple CVEs] Multiple vulnerabilities in the SAP BusinessObjects Business Intelligence platform | 6,5 | 14.03.2023 |
BC-JAS-COR-SES | 3288480 | [CVE-2023-27268] Improper Access Control in SAP NetWeaver AS Java (Object Analyzing Service) | 5,3 | 14.03.2023 |
BC-JAS-COR-CSH | 3288096 | [CVE-2023-26460] Improper Access Control in SAP NetWeaver AS Java (Cache Management Service) | 5,3 | 14.03.2023 |
BC-JAS-COR | 3288394 | [CVE-2023-24526] Improper Access Control in SAP NetWeaver AS Java (Classload Service) | 5,3 | 14.03.2023 |
*The characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.