On the 11th of May 2021, SAP Security Patch Day saw the release of 6 new Security Notes.
There was 5 update to previously released Patch Day Security Notes.
Notes by severity
| HotNews | 3 |
| Correction with high priority | 3 |
| Correction with medium priority | 4 |
| Correction with low priority | 1 |
Highlights
On May Patch Day SAP presents 6 high-severity Notes with 3 of them rated as HotNews.
The HotNews update for 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS Score of 10 starts our list today – a usual update of the Note released on August 2018.
Two more updates from the 2021 release are presented on the Patch Day: 3040210 – Remote Code Execution vulnerability in Source Rules of SAP Commerce and 2999854 – Code Injection in SAP Business Warehouse and SAP BW/4HANA (Both with a CVSS Score of 9.9).
SAP NetWeaver AS ABAP could become the target of a code injection by a potential attacker using an ABAP report execution. Such vulnerability and the steps for mitigation are presented in Security Note 3046610 – Code Injection vulnerability in SAP NetWeaver AS ABAP with a CVSS Score of 8.2.
Also, we would like to mention 2 other Security Notes rated as a correction with high priority: 3049661 – Multiple vulnerabilities in SAP Business One, version for SAP HANA (Business-One-Hana-Chef-Cookbook), 3049755 – Information Disclosure in SAP Business One (Chef business-one-cookbook). We advise you to pay the necessary attention as these are the common systems in the user’s landscape.
Summary
| SAP Component | Number | Title | CVSS Score | Priority | CVSS Vector |
| BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | 10 | HotNews | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CEC-COM-CPS-CKP | 3040210 | [CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of SAP Commerce | 9.9 | HotNews | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| BW-BEX-OT-DBIF | 2999854 | [CVE-2021-21466] Code Injection in SAP Business Warehouse and SAP BW/4HANA | 9.9 | HotNews | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| BC-CTS-ORG | 3046610 | [CVE-2021-27611] Code Injection vulnerability in SAP NetWeaver AS ABAP | 8.2 | Correction with high priority | CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| SBO-HANA-COM | 3049661 | [CVE-2021-27616] Multiple vulnerabilities in SAP Business One, version for SAP HANA (Business-One-Hana-Chef-Cookbook) | 7.8 | Correction with high priority | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| SBO-BC-INT | 3049755 | [CVE-2021-27613] Information Disclosure in SAP Business One (Chef business-one-cookbook) | 7.8 | Correction with high priority | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CEC-COM-CPS | 3039818 | [CVE-2021-27619] Information Disclosure in SAP Commerce (Backoffice search) | 6.5 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| BC-XI-IBF-UI | 3012021 | [Multiple CVEs] Multiple vulnerabilities in SAP Process Integration (Integration Builder Framework) | 4.9 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| BC-WD-JAV | 2976947 | [CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java) | 4.7 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N |
| SV-FRN-APP-SDD | 3030948 | [CVE-2021-27609] Missing Authorization check in SAP Focused RUN | 4.6 | Correction with medium priority | CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
| BC-FES-CTL | 3023078 | [CVE-2021-27612] SAP GUI for Windows is vulnerable to redirect users to an untrusted website | 3.4 | Correction with low priority | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N |
