On the 13th of June 2023, SAP Security Patch Day saw the release of 8 new Security Notes.
There were 5 updates to previously released Security Notes.
Notes by severity
| HotNews | 0 |
| Correction with high priority | 4 |
| Correction with medium priority | 8 |
| Correction with low priority | 1 |
Highlights
On June Patch Day SAP presented 4 high-severity Notes; all of them are rated as a correction with high priority.
The list for today is not large, so this will help us to describe what you should look at as a first priority in a more detailed way.
First, we will pay attention to the Note 3102769, which is Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse – with a CVSS Score of 8.8. Unauthorized attackers can launch XSS attacks using just one SAP KW component within a Web browser, potentially disclosing sensitive data. This Note was re-released with updated “Support Packages & Patches” information for releases 7.31 and 7.40 since the last update on 23rd August 2022.
SAP UI5 gets a couple of high-prioritized corrections:
The Note 3324285 – Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management) – with a CVSS Score of 8.2. Insufficient user-controlled input encoding in UI5 Variant Management causes a vulnerability known as Stored Cross-Site Scripting (Stored XSS). After successful exploitation, a hacker with user-level access can severely compromise user privacy, change sensitive data, and render the application unavailable to users.
Note 3326210 – Improper Neutralization of Input in SAPUI5 – with a CVSS Score of 7.1. Untrusted CSS can be injected because SAPUI5’s sap.m.FormattedText control lacks to effectively neutralize input. It prevents users from accessing the application. Additionally, the vulnerability could allow an attacker to view or modify user information through phishing attacks in the same lack of URL validation by the program. The Note was re-released from the previous Patch Day with updated ‘Solution’ and ‘Workaround’ information.
Integration with SAP Plant Connectivity for SAP Digital Manufacturing also gets an important security patch:
The last Note to mention: 3301942 – Missing Authentication in SAP Plant Connectivity and Production Connector for SAP Digital Manufacturing – with a CVSS Score of 7.9. The JSON Web Token (JWT) signature in the HTTP request provided by SAP Digital Manufacturing is not verified by SAP Plant Connectivity 15.5 (PCo) or the Production Connector for SAP Digital Manufacturing. Unauthorized callers from the internal network might therefore be able to issue service requests to PCo or the Production Connector, which might compromise the integrity of the integration with SAP Digital Manufacturing.
Summary
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| KM-KW-HTA | 3102769 | [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse | high |
8.8
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L |
| CA-UI5-COR | 3324285 | [CVE-2023-33991] Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management) | high |
8.2
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L |
| MFG-PCO-DMC | 3301942 | [CVE-2023-2827] Missing Authentication in SAP Plant Connectivity and Production Connector for SAP Digital Manufacturing | high |
7.9
|
CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H |
| CA-UI5-CTR-BAL | 3326210 | [CVE-2023-30743] Improper Neutralization of Input in SAPUI5 | high |
7.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L |
| LO-MD-BP | 3142092 | [CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer) | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| BC-CTS-DTR | 3318657 | [CVE-2023-33984] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Design Time Repository) | medium |
6.4
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
| EP-PIN-NAV | 3331627 | [CVE-2023-33985] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Enterprise Portal) | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CRM-IPS-BTX-APL | 2826092 | [CVE-2023-33986] Cross-Site Scripting (XSS) vulnerability in SAP CRM ABAP (Grantor Management) | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CA-WUI-UI-TAG | 3322800 | Update 1 to security note 3315971 - [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CA-WUI-UI-TAG | 3315971 | [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| BI-BIP-INV | 3319400 | [CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| AP-MD-BF-SYN | 1794761 | [CVE-2023-32115] SQL Injection in Master Data Synchronization (MDS COMPARE TOOL) | medium |
4.2
|
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N |
| BC-CTS-TMS-CTR | 3325642 | [CVE-2023-32114] Denial of Service in SAP NetWeaver (Change and Transport System) | low |
2.7
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L |
