SAP Security Notes - 04/22 - SecurityBridge Cloud

.no-js-class { display: none; } body { background-color: #fff; }

No JavaScript!

It seems your browser does not support JavaScript or it was disable by purpose! We use JavaScript to improve the user experience. Please consider enabling it for a better usability.

We've created the first of its kind, SecurityBridge Cloud Platform, designed to prioritize SAP patches, updates, and remediation strategies that help prevent disruptions to critical business systems. Our security advisories provide SAP users with valuable insights into the security and business implications of operating SAP.

The user interface is designed to be as intuitive as possible, but we’d love to hear your feedback and suggestions.

×

Yikes, there is work to do!
This time we found critical correction advisiories. We count 28 and the highest CVSS score is 9.8.

Severity

SAP© Security advisories 28

System Types

Affected SAP© system types

3189428

CVSS

9.8

Affected system type SAP HANA Platform

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP HANA Extended Application Services

Security Advisory

3170990

CVSS

9.8

Affected system type Any

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-22965] Central Security Note for Remote Code Execution vulnerability associated with Spring Framework

Security Advisory

3187290

CVSS

9.8

Affected system type SAP Customer Checkout

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Customer Checkout

Security Advisory

3189429

CVSS

9.8

Affected system type Java

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in PowerDesigner Web (up to including 16.7 SP05 PL01)

Security Advisory

3189635

CVSS

9.8

Affected system type SAP Customer...

Patchday 2022-04

Released on 2022/04/14

Description [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Customer Profitability Analytics

Security Advisory

3171258

CVSS

9.8

Affected system type SAP Commerce

Patchday 2022-04

Released on 2022/04/18

Description [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Commerce

Security Advisory

3158613

CVSS

9.1

Affected system type Java

Patchday 2022-04

Released on 2022/04/12

Description Update 1 to Security Note 3022622 - [CVE-2021-21480] Code injection vulnerability in SAP Manufacturing Integration and Intelligence

Security Advisory

3130497

CVSS

8.2

Affected system type BI/BO platform

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-27671] CSRF token visible in one of the URL in SAP Business Intelligence Platform.

Security Advisory

3111311

CVSS

7.5

Affected system type Kernel

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-28772]Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager)

Security Advisory

3155609

CVSS

7.0

Affected system type SAP Commerce

Patchday 2022-04

Released on 2022/04/12

Description Privilege escalation vulnerability in Apache Tomcat server component of SAP Commerce

Security Advisory

3137191

CVSS

6.8

Affected system type BI/BO platform

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-22541] Information Disclosure vulnerability in SAP BusinessObjects Platform

Security Advisory

3148094

CVSS

6.5

Affected system type Sybase

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-27670] Denial of service (DOS) in SQL Anywhere

Security Advisory

3143437

CVSS

6.5

Affected system type SAP 3D Visual Enterprise

Patchday 2022-04

Released on 2022/04/12

Description [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer

Security Advisory

3148377

CVSS

6.5

Affected system type Java

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-28217] Missing XML Validation vulnerability in SAP NW EP WPC

Security Advisory

3126557

CVSS

6.1

Affected system type ABAP

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-28770] Cross-Site Scripting (XSS) vulnerability in SAPUI5 (vbm library)

Security Advisory

3163583

CVSS

6.1

Affected system type Java

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-26105] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal

Security Advisory

3163703

CVSS

6.1

Affected system type ABAP

Patchday 2022-04

Released on 2022/04/12

Description Multiple Vulnerabilities in URI.js bundled with SAPUI5

Security Advisory

3132633

CVSS

5.4

Affected system type SAP GUI / Frontend

Patchday 2022-04

Released on 2022/04/12

Description Information Disclosure vulnerability in SAP GUI for Windows

Security Advisory

3055044

CVSS

5.4

Affected system type BI/BO platform

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-28213] Missing XML Validation vulnerability in SAP BusinessObjects Business Intelligence Platform (dswsbobje - SOAP Web services)

Security Advisory

3145769

CVSS

5.3

Affected system type BI/BO platform

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-27667] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC)

Security Advisory

3152442

CVSS

5.3

Affected system type Java

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-27669] Missing Authentication check in XML Data Archiving Service

Security Advisory

3111293

CVSS

4.9

Affected system type Kernel

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-28773] Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager)

Security Advisory

3165333

CVSS

4.7

Affected system type ABAP

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform

Security Advisory

3165856

CVSS

4.3

Affected system type SAP Innovation Management

Patchday 2022-04

Released on 2022/03/28

Description [CVE-2022-27658] Missing authorization check in SAP Innovation Management

Security Advisory

3150845

CVSS

4.3

Affected system type BI/BO platform

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-28216] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI Workspace)

Security Advisory

3101986

CVSS

4.1

Affected system type ABAP

Patchday 2022-04

Released on 2022/04/12

Description Prepare CSP support for On-Premise down port for code dependency in SAP CRM WebClient UI

Security Advisory

3138299

CVSS

4.1

Affected system type Adobe LiveCycle Designer

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2021-44832] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0)

Security Advisory

3159091

CVSS

2.7

Affected system type SAP Solution Manager...

Patchday 2022-04

Released on 2022/04/12

Description [CVE-2022-27657] Directory Traversal vulnerability in SAP Focused Run (Simple Diagnostics Agent 1.0)

Security Advisory