Sap Security Notes for October 2022 - Safe O’Clock - Safe O'Clock

SAP Security Notes – October 2022

October 12, 2022

In the current October Patch Day, 15 new Security Notes were added. 2 previously released Notes were updated.

Notes by severity

HotNews — 2 

Correction with high priority — 6

Correction with medium priority — 9

Correction with low priority — 0

Highlights

First HotNews note in the current patch day is 324293 has CVSS Score 9.9 and concerns SAP Manufacturing Execution. The note closes the path traversal vulnerability, which is quite simple to execute. Due to the vulnerability, it is possible to read the contents of directories, which leads to information disclosure. It is recommended to apply fixes as soon as possible.

The second HotNews fixes vulnerability 3239152 with CVSS Score 9.6 for SAP Commerce users. The vulnerability allows the user’s credentials to be stolen by forging a URL and redirecting data to an attacker’s server. It is recommended to apply fixes in accordance with the note, but if for some reason it is not possible, a workaround is present in the note.

Closed vulnerability in note 3232021 with CVSS Score 8.1. The vulnerability allows clipboard overflow in SAP SQL Anywhere and SAP IQ databases when systems are running in debug mode. When the vulnerability is executed, an attacker will be able to read and modify unauthorized data, as well as affect the availability of systems.

A number of Information Disclosure vulnerabilities have also been closed for various applications in SAP BusinessObjects Business Intelligence Platform. These are 3239293 with CVSS Score 7.7, 3229132 with CVSS Score 8.2 and 3213507 with CVSS Score 8.2.

A number of vulnerabilities were closed for SAP 3D Visual Enterprise Author and Viewer, which are described in notes 3245929 and 3245928 with CVSS Score 7 for both. Closed vulnerabilities include Improper Input Validation, Denial of service, Arbitrary code execution.

Summary 

SAP Component Number Description Priority CVSS CVSS Vector
MFG-ME 3242933 [CVE-2022-39802] File path traversal vulnerability in SAP Manufacturing Execution HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CEC-COM-CPS 3239152 [CVE-2022-41204] Account hijacking through URL Redirection vulnerability in SAP Commerce login form HotNews 9.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
BI-BIP-ADM 3229132 [CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects) high 8.2 CVSS:/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L
BI-BIP-ADM 3213507 [CVE-2022-31596] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Monitoring DB) high 8.2 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L
BC-SYB-SQA 3232021 [CVE-2022-35299] Buffer Overflow in SAP SQL Anywhere and SAP IQ high 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
BI-BIP-ADM 3239293 [CVE-2022-39015] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform(AdminTools/ Query Builder) high 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CA-VE-VEA 3245929 [Multiple CVEs] Multiple vulnerabilities in SAP 3D Visual Enterprise Author high 7 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CA-VE-VEV 3245928 [Multiple CVEs] Multiple vulnerabilities in SAP 3D Visual Enterprise Viewer high 7 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
BI-BIP-LCM 3233226 [CVE-2022-35296] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System) medium 6.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
KM-SEN-MGR 3049899 [CVE-2022-35297] Stored Cross-Site Scripting (XSS) vulnerability in SAP Enable Now medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
BI-BIP-INV 3211161 [CVE-2022-39800] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI LaunchPad) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CEC-COM-CPS 3202523 Cross-Site Scripting (XSS) vulnerability in SAP Commerce medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BI-RA-AWB 3229425 [CVE-2022-41206] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform / Analysis for OLAP medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CEC-PRO-GIY 3248970 [CVE-2022-41209] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya) medium 4.9 CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CEC-PRO-GIY 3248384 [CVE-2022-41210] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya) medium 4.9 CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
EIM-DS-SVR 3167342 [CVE-2022-35226] Cross-Site Scripting (XSS) vulnerability in Data Services Management Console medium 4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
CA-MDG-APP-CUS 3234755 Information Disclosure vulnerability in Master Data Governance medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – February 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 13 new Security Notes. There were […]

Read more
SAP Security Notes – January 2024

On the 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP Security Notes – December 2023

On the 12th of December 2023, SAP Security Patch Day saw the release of 15 new Security Notes. There were […]

Read more
SAP Security Notes – November 2023

On the 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK