On June 14, SAP released 10 new and 2 updated security notes.
Notes by severity
HotNews — 1
Correction with high priority — 2
Correction with medium priority — 7
Correction with low priority — 2
Highlights
The most critical update with CVSS Score 10 in this patch is 2622660 “Security updates for the browser control Google Chromium delivered with SAP Business Client” with updated “Solution” and “Support Packages & Patches” information.
Note 3158375 fixes Improper Access Control vulnerability for SAProuter and ABAP Platform. In this case, with some permission table in file “saprouttab” settings, it is possible for an unauthenticated attacker to execute SAProuter administration commands from a remote client, for example stopping the SAProuter. In this note, there is a Workaround if the SAProuter update is not possible.
The final critical note is 3197005 “Potential privilege escalation in SAP PowerDesigner 16.7”. This vulnerability allows a user with low privileges and local access to elevate privileges under certain circumstances. This note includes a Workaround if a product update is not possible.
Summary
SAP Component | Number | Title | CVSS Score | Priority | CVSS Vector |
BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | 10 | HotNews | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
BC-CST-NI | 3158375 | [CVE-2022-27668] Improper Access Control of SAProuter for SAP NetWeaver and ABAP Platform | 8.6 | Correction with high priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H |
BC-SYB-PD | 3197005 | [CVE-2022-31590] Potential privilege escalation in SAP PowerDesigner Proxy 16.7 | 7.8 | Correction with high priority | CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
BC-ABA-LI | 3165801 | [CVE-2022-29611] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform | 6.5 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
CA-VE-VEV | 3206271 | [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer | 6.5 | Correction with medium priority | CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L |
BC-CTS-DTR | 3197927 | [CVE-2022-29618] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Design Time Repository) | 6.1 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |