On June 14, SAP released 10 new and 2 updated security notes.
Notes by severity
HotNews — 1
Correction with high priority — 2
Correction with medium priority — 7
Correction with low priority — 2
The most critical update with CVSS Score 10 in this patch is 2622660 “Security updates for the browser control Google Chromium delivered with SAP Business Client” with updated “Solution” and “Support Packages & Patches” information.
Note 3158375 fixes Improper Access Control vulnerability for SAProuter and ABAP Platform. In this case, with some permission table in file “saprouttab” settings, it is possible for an unauthenticated attacker to execute SAProuter administration commands from a remote client, for example stopping the SAProuter. In this note, there is a Workaround if the SAProuter update is not possible.
The final critical note is 3197005 “Potential privilege escalation in SAP PowerDesigner 16.7”. This vulnerability allows a user with low privileges and local access to elevate privileges under certain circumstances. This note includes a Workaround if a product update is not possible.
|SAP Component||Number||Description||Priority||CVSS||CVSS Vector|
|BC-FES-BUS-DSK||2622660||Security updates for the browser control Google Chromium delivered with SAP Business Client||HotNews||10.0||CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H|
|BC-CST-NI||3158375||[CVE-2022-27668] Improper Access Control of SAProuter for SAP NetWeaver and ABAP Platform||high||8.6||CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H|
|BC-SYB-PD||3197005||[CVE-2022-31590] Potential privilege escalation in SAP PowerDesigner Proxy 16.7||high||7.8||CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H|
|BC-ABA-LI||3165801||[CVE-2022-29611] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform||medium||6.5||CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N|
|CA-VE-VEV||3206271||[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer||medium||6.5||CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L|
|BC-CTS-DTR||3197927||[CVE-2022-29618] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Design Time Repository)||medium||6.1||CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N|