SAP Security Notes Summary – September 2023
Traditionally once a month I’ll publish a review of all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.
SAP Component | Number | Title | CVSS Score | Released On |
---|---|---|---|---|
FI-AP-AP-Q1 | 3219846 | [CVE-2023-42473] Missing Authorization Check In S/4HANA (Manage Withholding Tax Items) | 5,4 | 26.09.2023 |
BI-BIP-LCM | 3320355 | [CVE-2023-40622] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management) | 9,9 | 12.09.2023 |
BI-BIP-CMC | 3245526 | [CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) | 9,9 | 12.09.2023 |
BC-SYB-PD | 3357163 | [CVE-2023-40621] Code Injection vulnerability in SAP PowerDesigner Client | 6,3 | 12.09.2023 |
FI-FIO-AP-CHK | 3355675 | [CVE-2023-41368] Insecure Direct Object Reference (IDOR) vulnerability in SAP S/4HANA (Manage checkbook apps) | 2,7 | 12.09.2023 |
MM-FIO-PUR-SQ-CON | 3326361 | [CVE-2023-40625] Missing Authorization check in Manage Purchase Contracts App | 5,4 | 12.09.2023 |
BI-RA-WBI-FE | 3370490 | [CVE-2023-42472] Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) | 8,7 | 12.09.2023 |
BC-GP | 3348142 | [CVE-2023-41367] Missing Authentication check in SAP NetWeaver (Guided Procedures) | 5,3 | 12.09.2023 |
BI-BIP-LCM | 3352453 | [CVE-2023-37489] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System) | 5,3 | 12.09.2023 |
FS-QUO | 3349805 | Denial of service (DOS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP Quotation Management Insurance (FS-QUO) | 5,7 | 12.09.2023 |
BC-IAM-SSO-CCL | 3327896 | [CVE-2023-40308] Memory Corruption vulnerability in SAP CommonCryptoLib | 7,5 | 12.09.2023 |
BC-WD-UR | 3323163 | [CVE-2023-40624] Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering) | 5,5 | 12.09.2023 |
BI-BIP-INS | 3317702 | [CVE-2023-40623] Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer) | 6,2 | 12.09.2023 |
BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | 10 | 12.09.2023 |
BC-XI-CON-UDS | 3273480 | [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search) | 9,9 | 12.09.2023 |
FI-FIO-AP | 3369680 | [CVE-2023-41369] External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application) | 3,5 | 12.09.2023 |
BC-IAM-SSO-CCL | 3340576 | [CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib | 9,8 | 12.09.2023 |
*The characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.