In September, SAP published 8 new Security Notes on its September Patch Day. 8 previously released Security Notes were updated.
Notes by severity
HotNews — 1
Correction with high priority — 6
Correction with medium priority — 9
Correction with low priority — 0
Highlights
Main note with CVSS Score 10 priority is another update of note 2622660 “Security updates for the browser control Google Chromium delivered with SAP Business Client”.
The most critical of the new notes for SAP Business One is 3223392. This note with CVSS score 7.8 closes the Unquoted Service Path vulnerability, exploiting which an attacker could gain SYSTEM privileges and affect Confidentiality, Integrity and Availability.
New Information Disclosure vulnerabilities were closed for SAP BusinessObjects with 2998510 Note CVSS score 7.7 and 2998510 Note CVSS score 7.8. Using these vulnerabilities, an attacker could read unencrypted sensitive information.
Note 3237075 with CVSS Score 7.1 closed a vulnerability in SAP GRC in Emergency Access Management. The vulnerability allows an authenticated attacker to gain access to a Firefighter session even after the session is closed in the Firefighter Logon Pad.
Note 3226411 has been updated for SAP SuccessFactors users with CVSS Score 8.1. Attachments have been included for the SF Mobile app. For more information and the ability to track the functionality, please refer to the note.
For note 3102769 describing the XSS vulnerability in the SAP Knowledge Warehouse, the workaround information has been moved to a separate note 3221696. If you have already implemented the note or have used information from the workaround, you could ignore this note.
Summary
SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
---|---|---|---|---|---|
BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | HotNews | 10 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
KM-KW-HTA | 3102769 | [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse | high | 8.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L |
LOD-SF-EC | 3226411 | [CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS) | high | 8.1 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
SBO-CRO-SEC | 3223392 | [CVE-2022-35292] Windows Unquoted Service Path issue in SAP Business One | high | 7.8 | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
BI-BIP-INS | 2998510 | [CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update | high | 7.8 | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
BI-BIP-SRV | 3217303 | [CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC) | high | 7.7 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
GRC-SAC-EAM | 3237075 | [CVE-2022-39801] Insufficient Firefighter Session Expiration in SAP GRC Access Control Emergency Access Management | high | 7.1 | CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
BC-CCM-MON-OS | 3159736 | [CVE-2022-35295] Privilege Escalation Vulnerability in SAPOSCOL on Unix | medium | 6.7 | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H |
QM-QN | 2634023 | Missing authorization check in Consumption of CDS Views (or) OData Services in QM-QN | medium | 6.3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
EP-KM-FWK-CF | 3219164 | [CVE-2022-35298] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (KMC) | medium | 6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
BC-FES-WGU | 3229820 | [CVE-2022-39799] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (SAP GUI for HTML within the Fiori Launchpad) | medium | 6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
BC-FES-WGU | 3218177 | [CVE-2022-35294] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP | medium | 5.4 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
BC-MID-RFC | 3150454 | Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform | medium | 4.9 | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
BC-MID-ICF | 3198137 | Update 1 to Security Note 3165333 – [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform | medium | 4.7 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N |
BC-MID-ICF | 3198137 | Update 1 to Security Note 3165333 – [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform | medium | 4.7 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N |
CA-WUI-UI-TAG | 3126968 | Information Disclosure vulnerability in SAP CRM WebClient | medium | 4.3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |