Sap Security Notes for October 2022 - Safe O’Clock - Safe O'Clock

SAP Security Notes – October 2022

October 12, 2022

In the current October Patch Day, 15 new Security Notes were added. 2 previously released Notes were updated.

Notes by severity

HotNews — 2 

Correction with high priority — 6

Correction with medium priority — 9

Correction with low priority — 0

Highlights

First HotNews note in the current patch day is 324293 has CVSS Score 9.9 and concerns SAP Manufacturing Execution. The note closes the path traversal vulnerability, which is quite simple to execute. Due to the vulnerability, it is possible to read the contents of directories, which leads to information disclosure. It is recommended to apply fixes as soon as possible.

The second HotNews fixes vulnerability 3239152 with CVSS Score 9.6 for SAP Commerce users. The vulnerability allows the user’s credentials to be stolen by forging a URL and redirecting data to an attacker’s server. It is recommended to apply fixes in accordance with the note, but if for some reason it is not possible, a workaround is present in the note.

Closed vulnerability in note 3232021 with CVSS Score 8.1. The vulnerability allows clipboard overflow in SAP SQL Anywhere and SAP IQ databases when systems are running in debug mode. When the vulnerability is executed, an attacker will be able to read and modify unauthorized data, as well as affect the availability of systems.

A number of Information Disclosure vulnerabilities have also been closed for various applications in SAP BusinessObjects Business Intelligence Platform. These are 3239293 with CVSS Score 7.7, 3229132 with CVSS Score 8.2 and 3213507 with CVSS Score 8.2.

A number of vulnerabilities were closed for SAP 3D Visual Enterprise Author and Viewer, which are described in notes 3245929 and 3245928 with CVSS Score 7 for both. Closed vulnerabilities include Improper Input Validation, Denial of service, Arbitrary code execution.

Summary 

SAP Component Number Title Priority CVSS Score CVSS Vector
BI-BIP-ADM 3239293 [CVE-2022-39015] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform(AdminTools/ Query Builder) Correction with high priority 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
BI-RA-AWB 3229425 [CVE-2022-41206] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform / Analysis for OLAP Correction with medium priority 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
BI-BIP-ADM 3229132 [CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects) Correction with high priority 8.2 CVSS:/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L
BI-BIP-ADM 3213507 [CVE-2022-31596] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Monitoring DB) Correction with high priority 8.2 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L
BI-BIP-INV 3211161 [CVE-2022-39800] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI LaunchPad) Correction with medium priority 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CEC-PRO-GIY 3248970 [CVE-2022-41209] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya) Correction with medium priority 4.9 CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CEC-PRO-GIY 3248384 [CVE-2022-41210] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya) Correction with medium priority 4.9 CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CA-VE-VEA 3245929 [Multiple CVEs] Multiple vulnerabilities in SAP 3D Visual Enterprise Author Correction with high priority 7 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CA-VE-VEV 3245928 [Multiple CVEs] Multiple vulnerabilities in SAP 3D Visual Enterprise Viewer Correction with high priority 7 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
MFG-ME 3242933 [CVE-2022-39802] File path traversal vulnerability in SAP Manufacturing Execution HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CEC-COM-CPS 3202523 Cross-Site Scripting (XSS) vulnerability in SAP Commerce Correction with medium priority 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
KM-SEN-MGR 3049899 [CVE-2022-35297] Stored Cross-Site Scripting (XSS) vulnerability in SAP Enable Now Correction with medium priority 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
EIM-DS-SVR 3167342 [CVE-2022-35226] Cross-Site Scripting (XSS) vulnerability in Data Services Management Console Correction with medium priority 4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
CEC-COM-CPS 3239152 [CVE-2022-41204] Account hijacking through URL Redirection vulnerability in SAP Commerce login form HotNews 9.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CA-MDG-APP-CUS 3234755 Information Disclosure vulnerability in Master Data Governance Correction with medium priority 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
BI-BIP-LCM 3233226 [CVE-2022-35296] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System) Correction with medium priority 6.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
BC-SYB-SQA 3232021 [CVE-2022-35299] Buffer Overflow in SAP SQL Anywhere and SAP IQ Correction with high priority 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK