Issued: Monday, 19 December, 2022 |
Last Revision: Monday, 19 December, 2022 |
Vendor: |
Product: |
Severity Level: |
SAP released twenty new and updated Security Notes on its December Patch Day, including the notes that were released or updated since last Patch Tuesday. This includes five Hot-News Notes and five High Priority Notes. The remaining security notes that SAP announced on December 2022 Security Patch Day deal with medium-severity vulnerabilities in Disclosure Management, NetWeaver, Solutions Manager, BusinessObjects, Sourcing, and Contract Lifecycle Management.
CVE/Vulnerability | Affected Products | CVSS Score | Exploitable |
Note 2622660 | Update to Security Note released on April 2018 Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client Product - SAP Business Client, Versions - 6.5, 7.0, 7.70 | 10 | No |
CVE-2022-41267 | Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform Product - SAP BusinessObjects Business Intelligence Platform,Versions -420, 430 | 9.9 |
No |
CVE-2022-41272 | Improper access control in SAP NetWeaver Process Integration (User Defined Search) Product – SAP NetWeaver Process Integration, Version – 7.50 | 9.9 |
No |
CVE-2022-42889 | Remote Code Execution vulnerability associated with Apache Commons Text in SAP Commerce Product – SAP Commerce, Versions - 1905, 2005, 2105, 2011, 2205 | 9.8 |
No |
CVE-2022-41271 | Improper access control in SAP NetWeaver Process Integration (Messaging System) | 9.4 |
No |
| Product - SAP NetWeaver Process Integration, Version – 7.50 |
|
|
CVE-2022-41264 | Code Injection vulnerability in SAP BASIS Product – SAP BASIS, Versions – 731, 740, 750, 751, 752, 753, 754, 755,756, 757, 789, 790, 791 | 8.8 |
No |
CVE-2022-41268 | Privilege escalation vulnerability in SAP Business Planning and Consolidation | 8.5 |
No |
CVE-2022-39013 | Update to Security Note released on October 2022 Patch Day: information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects) Product - SAP BusinessObjects Business Intelligence Platform (Program Objects), Versions - 420, 430 | 8.2 |
No |
CVE-2022-41266 | Cross-Site Scripting (XSS) vulnerability in SAP Commerce Product - SAP Commerce Webservices 2.0 (Swagger UI), Versions - 1905,2005, 2105, 2011, 2205 | 8 |
No |
CVE-2022-35737 | Update to Security Note released on November 2022 Patch Day: Multiple Vulnerabilities in SQlite bundled with SAPUI5 Product – SAPUI5 CLIENT RUNTIME, Versions – 600, 700, 800, 900,1000 Product – SAPUI5, Versions – 754, 755, 756, 757 | 7.5 | No |
Organizations are encouraged to review the provided links and apply the necessary updates as soon as possible.