On the 8th of June 2021, SAP Security Patch Day saw the release of 17 new Security Notes.
There was 2 update to previously released Patch Day Security Notes.
Notes by severity
HotNews | 2 |
Correction with high priority | 4 |
Correction with medium priority | 13 |
Correction with low priority | 0 |
Highlights
On June Patch Day SAP presents 6 high-severity Notes with 2 of them rated as HotNews.
3040210 Security Note – Remote Code Execution vulnerability in Source Rules of SAP Commerce – provides us with an update for the April release (CVSS Score 9.9). 3007182 Security Note – Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform – describes the potential compromise of the integrity of the system (CVSS Score 9.0).
Several Security Notes 3020209, 3020104 and 3021197 with a CVSS Score of 7.5 – Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform – contain several SAP NetWeaver vulnerabilities distributed throughout the Notes by reasons and prerequisites. CPIC-based communication may temporarily become unavailable, SAP Enqueue Server (ENSA1) and NetWeaver ABAP Server along with ABAP Platform can be affected by memory corruption through potential malicious actions.
Summary
SAP Component | Number | Title | CVSS Score | Priority | CVSS Vector |
CEC-COM-CPS-CKP | 3040210 | [CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of SAP Commerce | 9.9 | HotNews | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
BC-MID-RFC | 3007182 | [CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform | 9 | HotNews | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
BC-ESI-WS-JAV-CFG | 3053066 | [CVE-2021-27635] Missing XML Validation in SAP NetWeaver AS for JAVA | 8.7 | Correction with high priority | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H |
BC-CST-GW | 3020209 | [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform | 7.5 | Correction with high priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
BC-CST-EQ | 3020104 | [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform | 7.5 | Correction with high priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
BC-CST-DP | 3021197 | [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform | 7.5 | Correction with high priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
SBO-CRO-SEC | 3058382 | [CVE-2021-33662] Information Disclosure in SAP Business One | 6.7 | Correction with medium priority | CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
MFG-ME-API | 3030961 | [CVE-2021-27615] Cross-Site Scripting (XSS) vulnerability in SAP Manufacturing Execution | 6.4 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
BC-SRV-RM | 3002517 | [CVE-2021-21473] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform | 6.3 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
CA-SUR | 3004043 | [CVE-2021-21490] Cross-Site Scripting (XSS) vulnerability in SAP Netweaver AS for ABAP (Web Survey) | 6.1 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
BC-FES-IGS | 3021050 | [Multiple CVEs] Memory Corruption vulnerability in SAP Internet Graphics Service | 5.9 | Correction with medium priority | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
KM-SEN-MGR | 3049879 | [CVE-2021-27637] Information Disclosure in SAP Enable Now (SAP Workforce Performance Builder – Manager) | 5.9 | Correction with medium priority | CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
BC-CST-IC | 3030604 | [CVE-2021-33663] Plaintext Injection in SAP NetWeaver AS for ABAP | 5.8 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N |
BC-JAS-SEC-UME | 3023299 | [CVE-2021-27621] Information Disclosure in SAP NetWeaver AS for Java (UserAdmin) | 5.5 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N |
BC-WD-ABA | 3025604 | [CVE-2021-33664] Cross-Site Scripting (XSS) vulnerability within SAP NetWeaver AS ABAP (Applications based on Web Dynpro ABAP) | 5.4 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
BC-FES-WGU | 3028370 | [CVE-2021-33665] Cross-Site Scripting (XSS) vulnerability within SAP NetWeaver AS ABAP (Applications based on SAP GUI for HTML) | 5.4 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CEC-HCS-CCAZ-CZO | 2985562 | [CVE-2021-33666] Cross-Site Scripting (XSS) in SAP Commerce Cloud | 4.7 | Correction with medium priority | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N |
CA-VE-VEV | 3059999 | [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer | 4.3 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L |
FI-TV-ODT-MTE | 3025054 | [CVE-2021-27605 ] Missing Authorization check in HCM Travel Management Fiori Apps V2 | 4.3 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |