SAP Security Notes - 04/21 - SecurityBridge Cloud

.no-js-class { display: none; } body { background-color: #fff; }

No JavaScript!

It seems your browser does not support JavaScript or it was disable by purpose! We use JavaScript to improve the user experience. Please consider enabling it for a better usability.

We've created the first of its kind, SecurityBridge Cloud Platform, designed to prioritize SAP patches, updates, and remediation strategies that help prevent disruptions to critical business systems. Our security advisories provide SAP users with valuable insights into the security and business implications of operating SAP.

The user interface is designed to be as intuitive as possible, but we’d love to hear your feedback and suggestions.

×

Yikes, there is work to do!
This time we found critical correction advisiories. We count 19 and the highest CVSS score is 9.9.

Severity

SAP© Security advisories 19

System Types

Affected SAP© system types

3040210

CVSS

9.9

Affected system type SAP Commerce / SAP...

Patchday 2021-04

Released on 2021/04/13

Description [CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of SAP Commerce

Security Advisory

3017908

CVSS

8.3

Affected system type Java

Patchday 2021-04

Released on 2021/04/13

Description [CVE-2021-21482] Information Disclosure in SAP NetWeaver Master Data Management

Security Advisory

3017823

CVSS

8.2

Affected system type SAP Solution Manager

Patchday 2021-04

Released on 2021/04/13

Description [CVE-2021-21483] Information Disclosure in SAP Solution Manager

Security Advisory

3039649

CVSS

7.5

Affected system type SAP GUI / Frontend

Patchday 2021-04

Released on 2021/04/13

Description [CVE-2021-27608] Unquoted Search Path in SAPSetup

Security Advisory

3001824

CVSS

7.4

Affected system type Java

Patchday 2021-04

Released on 2021/04/13

Description [CVE-2021-21485] Information Disclosure in SAP NetWeaver AS for Java (Telnet Commands)

Security Advisory

3036436

CVSS

6.5

Affected system type Java

Patchday 2021-04

Released on 2021/04/13

Description [CVE-2021-27604] Potential XXE Vulnerability in SAP Process Integration (ESR Java Mappings)

Security Advisory

3027937

CVSS

6.5

Affected system type Java

Patchday 2021-04

Released on 2021/04/13

Description [CVE-2021-27598] Improper Access Control in SAP NetWeaver AS for Java (Customer Usage Provisioning Servlet)

Security Advisory

3012277

CVSS

6.5

Affected system type Java

Patchday 2021-04

Released on 2021/04/13

Description [CVE-2021-27599] Information Disclosure in SAP Process Integration (Integration Builder Framework)

Security Advisory

3028729

CVSS

6.5

Affected system type ABAP

Patchday 2021-04

Released on 2021/04/13

Description [CVE-2021-27603] Denial of Service (DoS) in SAP NetWeaver AS of ABAP

Security Advisory

3024414

CVSS

6.4

Affected system type Java

Patchday 2021-04

Released on 2021/04/13

Description [CVE-2021-27600 ] Cross-Site Scripting (XSS) vulnerability in SAP Manufacturing Execution (System Rules)

Security Advisory

2963592

CVSS

5.4

Affected system type Java

Patchday 2021-04

Released on 2021/04/13

Description [CVE-2021-27601] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java (Applications based on HTMLB for Java)

Security Advisory

3005802

CVSS

5.4

Affected system type ABAP

Patchday 2021-04

Released on 2021/03/23

Description Cross-Site Request Forgery (CSRF) vulnerability in S/4HANA Finance for advanced payment management

Security Advisory

3036679

CVSS

5.3

Affected system type ABAP

Patchday 2021-04

Released on 2021/04/13

Description Update 1 to Security Note 1576763: Potential information disclosure relating to usernames

Security Advisory

2911863

CVSS

5.3

Affected system type BI/BO platform

Patchday 2021-04

Released on 2021/04/13

Description Information Disclosure in BOE/CMC application

Security Advisory

2818965

CVSS

4.6

Affected system type Java

Patchday 2021-04

Released on 2021/04/13

Description Clickjacking vulnerability in Runtime Workbench of SAP Process Integration

Security Advisory

3030948

CVSS

4.6

Affected system type SAP Solution Manager...

Patchday 2021-04

Released on 2021/04/13

Description [CVE-2021-27609] Missing Authorization check in SAP Focused RUN

Security Advisory

3035472

CVSS

4.3

Affected system type SAP 3D Visual Enterprise

Patchday 2021-04

Released on 2021/03/18

Description [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer

Security Advisory

3025054

CVSS

4.3

Affected system type ABAP

Patchday 2021-04

Released on 2021/04/13

Description [CVE-2021-27605 ] Missing Authorization check in HCM Travel Management Fiori Apps V2

Security Advisory

3025637

CVSS

4.3

Affected system type Java

Patchday 2021-04

Released on 2021/04/13

Description [CVE-2021-21492] Content spoofing in NetWeaver AS Java HTTP Service

Security Advisory