SAP Security Notes – June 2023 - Safe O'Clock

SAP Security Notes – June 2023

June 14, 2023

On the 13th of June 2023, SAP Security Patch Day saw the release of 8 new Security Notes.

There were 5 updates to previously released Security Notes.

 

Notes by severity

 

HotNews 0
Correction with high priority 4
Correction with medium priority 8
Correction with low priority 1

Highlights


On June Patch Day SAP presented 4 high-severity Notes; all of them are rated as a correction with high priority.

The list for today is not large, so this will help us to describe what you should look at as a first priority in a more detailed way.

 

First, we will pay attention to the Note 3102769, which is Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse – with a CVSS Score of 8.8. Unauthorized attackers can launch XSS attacks using just one SAP KW component within a Web browser, potentially disclosing sensitive data. This Note was re-released with updated  “Support Packages & Patches” information for releases 7.31 and 7.40 since the last update on 23rd August 2022.

SAP UI5 gets a couple of high-prioritized corrections:

The Note 3324285Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management) – with a CVSS Score of 8.2. Insufficient user-controlled input encoding in UI5 Variant Management causes a vulnerability known as Stored Cross-Site Scripting (Stored XSS). After successful exploitation, a hacker with user-level access can severely compromise user privacy, change sensitive data, and render the application unavailable to users.
Note 3326210 Improper Neutralization of Input in SAPUI5 – with a CVSS Score of 7.1. Untrusted CSS can be injected because SAPUI5’s sap.m.FormattedText control lacks to effectively neutralize input. It prevents users from accessing the application. Additionally, the vulnerability could allow an attacker to view or modify user information through phishing attacks in the same lack of URL validation by the program. The Note was re-released from the previous Patch Day with updated ‘Solution’ and ‘Workaround’ information.

Integration with SAP Plant Connectivity for SAP Digital Manufacturing also gets an important security patch:

The last Note to mention: 3301942Missing Authentication in SAP Plant Connectivity and Production Connector for SAP Digital Manufacturing – with a CVSS Score of 7.9. The JSON Web Token (JWT) signature in the HTTP request provided by SAP Digital Manufacturing is not verified by SAP Plant Connectivity 15.5 (PCo) or the Production Connector for SAP Digital Manufacturing. Unauthorized callers from the internal network might therefore be able to issue service requests to PCo or the Production Connector, which might compromise the integrity of the integration with SAP Digital Manufacturing.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
KM-KW-HTA 3102769 [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse high 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
CA-UI5-COR 3324285 [CVE-2023-33991] Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management) high 8.2 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
MFG-PCO-DMC 3301942 [CVE-2023-2827] Missing Authentication in SAP Plant Connectivity and Production Connector for SAP Digital Manufacturing high 7.9 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H
CA-UI5-CTR-BAL 3326210 [CVE-2023-30743] Improper Neutralization of Input in SAPUI5 high 7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
LO-MD-BP 3142092 [CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer) medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
BC-CTS-DTR 3318657 [CVE-2023-33984] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Design Time Repository) medium 6.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
EP-PIN-NAV 3331627 [CVE-2023-33985] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Enterprise Portal) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CRM-IPS-BTX-APL 2826092 [CVE-2023-33986] Cross-Site Scripting (XSS) vulnerability in SAP CRM ABAP (Grantor Management) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CA-WUI-UI-TAG 3322800 Update 1 to security note 3315971 - [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CA-WUI-UI-TAG 3315971 [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BI-BIP-INV 3319400 [CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AP-MD-BF-SYN 1794761 [CVE-2023-32115] SQL Injection in Master Data Synchronization (MDS COMPARE TOOL) medium 4.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
BC-CTS-TMS-CTR 3325642 [CVE-2023-32114] Denial of Service in SAP NetWeaver (Change and Transport System) low 2.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – February 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 13 new Security Notes. There were […]

Read more
SAP Security Notes – January 2024

On the 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP Security Notes – December 2023

On the 12th of December 2023, SAP Security Patch Day saw the release of 15 new Security Notes. There were […]

Read more
SAP Security Notes – November 2023

On the 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK