W dniu 10 sierpnia firma SAP wydała aktualizacje bezpieczeństwa, która obejmuje 15 nowych poprawek w tym 3 są krytyczne.

CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.

Pełna lista poprawek:

Note#

Title Severity

CVSS

3071984

[CVE-2021-33698Unrestricted File Upload vulnerability in SAP Business One
Product – SAP Business One, Version – 10.0

Hot News

9.9

3072955

[CVE-2021-33690Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service)
Product – SAP NetWeaver Development Infrastructure (Component Build Service), Versions – 7.11, 7.20, 7.30, 7.31, 7.40, 7.50

Hot News

9.9

3078312

[CVE-2021-33701SQL Injection vulnerability in SAP NZDT Row Count Reconciliation
Product – DMIS Mobile Plug-In, Versions – DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020
Product – SAP S/4HANA, Versions – SAPSCORE 125, S4CORE 102, 102, 103, 104, 105

Hot News

9.1

3073681

[CVE-2021-33702Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Product – SAP NetWeaver Enterprise Portal, Versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50

High

8.3

3072920

[CVE-2021-33703Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Product – SAP NetWeaver Enterprise Portal (Application Extensions), Versions – 7.30, 7.31, 7.40, 7.50

High

8.3

3074844

[CVE-2021-33705Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Enterprise Portal
Product – SAP NetWeaver Enterprise Portal, Versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50

High

8.1

3067219

[CVE-2021-33699Task Hijacking in SAP Fiori Client Native Mobile for Android
Product – SAP Fiori Client Native Mobile for Android, Version – 3.2

High

7.6

3073325

[CVE-2021-33700Missing Authentication check in SAP Business One
Product – SAP Business One, Version – 10.0

High

7

3073450

[CVE-2021-33691Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Notification Service)
Product – SAP NetWeaver Development Infrastructure (Notification Service), Versions – 7.31, 7.40, 7.50

Medium

6.9

3058553

[CVE-2021-33695Multiple Vulnerabilities in SAP Cloud Connector
Additional CVEs – CVE-2021-33694CVE-2021-33693CVE-2021-33692
Product – SAP Cloud Connector, Version – 2.0

Medium

6.8

3078072

[CVE-2021-33704Missing Authorization Check in SAP Business One (Service Layer)
Product – SAP Business One, Version – 10.0

Medium

6.3

3002517

Update to Security Note release on June 2021 Patch Day:
[CVE-2021-21473Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform
Product – SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT), Versions – 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755

Medium

6.3

3076399

[CVE-2021-33707] URL Redirection vulnerability in SAP NetWeaver (Knowledge Management)
Product – SAP NetWeaver (Knowledge Management), Versions – 7.30, 7.31, 7.40, 7.50

Medium

6.1

3062085

[CVE-2021-33696] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Crystal Report)
Product – SAP BusinessObjects Business Intelligence Platform (Crystal Report), Versions – 420, 430

Medium

5.4

3063048

[CVE-2021-33697Reverse Tabnabbing in SAP BusinessObjects Business Intelligence Platform (SAP UI5)
Product – SAP BusinessObjects Business Intelligence Platform (SAPUI5), Versions – 420, 430

Medium

4.7