SAP Security Notes - June 2022 - Safe O'Clock

SAP Security Notes – June 2022

June 14, 2022

On June 14, SAP released 10 new and 2 updated security notes.

Notes by severity

HotNews — 1

Correction with high priority — 2

Correction with medium priority — 7

Correction with low priority — 2

Highlights

The most critical update with CVSS Score 10 in this patch is 2622660 “Security updates for the browser control Google Chromium delivered with SAP Business Client” with updated “Solution” and “Support Packages & Patches” information.

Note 3158375 fixes Improper Access Control vulnerability for SAProuter and ABAP Platform. In this case, with some permission table in file “saprouttab” settings, it is possible for an unauthenticated attacker to execute SAProuter administration commands from a remote client, for example stopping the SAProuter. In this note, there is a Workaround if the SAProuter update is not possible.

The final critical note is 3197005 “Potential privilege escalation in SAP PowerDesigner 16.7”. This vulnerability allows a user with low privileges and local access to elevate privileges under certain circumstances. This note includes a Workaround if a product update is not possible.

Summary

SAP Component Number Title CVSS Score  Priority CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client 10 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-CST-NI 3158375 [CVE-2022-27668] Improper Access Control of SAProuter for SAP NetWeaver and ABAP Platform 8.6 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
BC-SYB-PD 3197005 [CVE-2022-31590] Potential privilege escalation in SAP PowerDesigner Proxy 16.7 7.8 Correction with high priority CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-ABA-LI 3165801 [CVE-2022-29611] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CA-VE-VEV 3206271 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer 6.5 Correction with medium priority CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
BC-CTS-DTR 3197927 [CVE-2022-29618] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Design Time Repository) 6.1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK