SAP Security Notes Summary – November 2021
Traditionally once a month I’ll publish review all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.
| SAP Components | Number | Title | CVSS Score | Released On |
|---|---|---|---|---|
| IS-A-VMS | 2460948 | Missing Authorization Check in Vehicle Management System | 5,3 | 23.11.2021 |
| SRM-EBP-INT | 2661033 | Missing Authorization check in RFC enabled function modules in SRM | 6,3 | 23.11.2021 |
| BC-UPG-NZ | 3089831 | [CVE-2021-38176] SQL Injection vulnerability in SAP NZDT Mapping Table Framework | 9,9 | 23.11.2021 |
| BC-CST-WDP | 3000663 | [CVE-2021-33683] HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager | 5,4 | 23.11.2021 |
| FI-LOC-FI-FR | 3068582 | [CVE-2021-38164] Missing Authorization check in in SAP ERP Financial Accounting / RFOPENPOSTING_FR | 5,4 | 09.11.2021 |
| BC-FES-GUI | 3080106 | [CVE-2021-40503] Information Disclosure in SAP GUI for Windows | 6,8 | 09.11.2021 |
| BC-XI-IBF | 2607126 | Cross-Site Request Forgery vulnerability in Enterprise Services Repository of SAP Process Integration | 6,3 | 09.11.2021 |
| BC-MID-RFC | 3099776 | [CVE-2021-40501] Missing Authorization check in ABAP Platform Kernel | 9,6 | 09.11.2021 |
| IS-R-FRO | 2827086 | Several security vulnerabilities in FRP 5.4.0 and FR Engine 5.4.0 | 7,9 | 09.11.2021 |
| XX-PART-WILY | 2971638 | [CVE-2020-6369] Hard-coded Credentials in CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run) | 7,5 | 09.11.2021 |
| CEC-COM-CPS-WEB | 3110328 | [CVE-2021-40502] Missing Authorization check in SAP Commerce | 8,3 | 09.11.2021 |
| CEC-MKT-OFM | 3106859 | URL Redirection vulnerability in Offer Management | 4,3 | 09.11.2021 |
| BC-DWB-TOO | 3105728 | [CVE-2021-40504] Leverage of Permission in SAP NetWeaver Application Server for ABAP and ABAP Platform | 4,9 | 09.11.2021 |
| PY-PT | 3104456 | [CVE-2021-42062] Missing Authorization check in SAP ERP HCM | 6,5 | 09.11.2021 |
*The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.