In September, SAP published 8 new Security Notes on its September Patch Day. 8 previously released Security Notes were updated.
Notes by severity
HotNews — 1
Correction with high priority — 6
Correction with medium priority — 9
Correction with low priority — 0
Highlights
Main note with CVSS Score 10 priority is another update of note 2622660 “Security updates for the browser control Google Chromium delivered with SAP Business Client”.
The most critical of the new notes for SAP Business One is 3223392. This note with CVSS score 7.8 closes the Unquoted Service Path vulnerability, exploiting which an attacker could gain SYSTEM privileges and affect Confidentiality, Integrity and Availability.
New Information Disclosure vulnerabilities were closed for SAP BusinessObjects with 2998510 Note CVSS score 7.7 and 2998510 Note CVSS score 7.8. Using these vulnerabilities, an attacker could read unencrypted sensitive information.
Note 3237075 with CVSS Score 7.1 closed a vulnerability in SAP GRC in Emergency Access Management. The vulnerability allows an authenticated attacker to gain access to a Firefighter session even after the session is closed in the Firefighter Logon Pad.
Note 3226411 has been updated for SAP SuccessFactors users with CVSS Score 8.1. Attachments have been included for the SF Mobile app. For more information and the ability to track the functionality, please refer to the note.
For note 3102769 describing the XSS vulnerability in the SAP Knowledge Warehouse, the workaround information has been moved to a separate note 3221696. If you have already implemented the note or have used information from the workaround, you could ignore this note.
Summary
| SAP Component | Number | Title | Priority | CVSS Score | CVSS Vector |
| SBO-CRO-SEC | 3223392 | [CVE-2022-35292] Windows Unquoted Service Path issue in SAP Business One | Correction with high priority | 7.8 | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| EP-KM-FWK-CF | 3219164 | [CVE-2022-35298] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (KMC) | Correction with medium priority | 6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| BI-BIP-SRV | 3217303 | [CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC) | Correction with high priority | 7.7 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
| BC-CCM-MON-OS | 3159736 | [CVE-2022-35295] Privilege Escalation Vulnerability in SAPOSCOL on Unix | Correction with medium priority | 6.7 | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H |
| BC-MID-ICF | 3198137 | Update 1 to Security Note 3165333 – [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform | Correction with medium priority | 4.7 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N |
| CA-WUI-UI-TAG | 3126968 | Information Disclosure vulnerability in SAP CRM WebClient | Correction with medium priority | 4.3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| BI-BIP-INS | 2998510 | [CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update | Correction with high priority | 7.8 | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| GRC-SAC-EAM | 3237075 | [CVE-2022-39801] Insufficient Firefighter Session Expiration in SAP GRC Access Control Emergency Access Management | Correction with high priority | 7.1 | CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| BC-FES-WGU | 3229820 | [CVE-2022-39799] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (SAP GUI for HTML within the Fiori Launchpad) | Correction with medium priority | 6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| LOD-SF-EC | 3226411 | [CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS) | Correction with high priority | 8.1 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| QM-QN | 2634023 | Missing authorization check in Consumption of CDS Views (or) OData Services in QM-QN | Correction with medium priority | 6.3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| BC-FES-WGU | 3218177 | [CVE-2022-35294] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP | Correction with medium priority | 5.4 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
| BC-MID-ICF | 3198137 | Update 1 to Security Note 3165333 – [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform | Correction with medium priority | 4.7 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N |
| BC-MID-RFC | 3150454 | Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform | Correction with medium priority | 4.9 | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
| BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | HotNews | 10 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| KM-KW-HTA | 3102769 | [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse | Correction with high priority | 8.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L |
