Security Advisories for SAP©

Security Advisories

We've created the first of its kind, SecurityBridge ^{Cloud Platform} to prioritize SAP patches, updates and the remediation strategies essential for preventing the disruption of vital business systems. Our security advisories enable SAP users to understand the security and business implications of running SAP.

The user interface, is designed to be as intuitive as possible but we'd love to hear your feedback and opinions.
We hope you like it!

× Yikes, there is work to do!
This time we found critical correction advisiories. We count 486 and the highest CVSS score is 10.0.

Severity

SAP© Security advisories 486

System Types

Affected SAP© system types

_{Related note}
2756188

_CVSS
6.3

_{Affected system
type}
UI5

_Patchday
2022-05

_{Released
on}
2022/05/10

Description
Cross-Site Request Forgery (CSRF) vulnerability in F0673 Approve Bank Payments front-end

Security Advisory

_{Related note}
3146336

_CVSS
5.4

_{Affected system
type}
ABAP

_Patchday
2022-05

_{Released
on}
2022/05/10

Description
[CVE-2022-29610] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP

Security Advisory

_{Related note}
2754555

_CVSS
6.3

_{Affected system
type}
ABAP

_Patchday
2022-05

_{Released
on}
2022/05/10

Description
Cross-Site Request Forgery (CSRF) vulnerability in F0673 Approve Bank Payments back-end

Security Advisory

_{Related note}
2998510

_CVSS
7.8

_{Affected system
type}
BI/BO platform

_Patchday
2022-05

_{Released
on}
2022/05/10

Description
[CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update

Security Advisory

_{Related note}
3145702

_CVSS
5.3

_{Affected system
type}
SAP Host AgentKernel

_Patchday
2022-05

_{Released
on}
2022/05/10

Description
[CVE-2022-29616] Memory Corruption vulnerability in SAP Host Agent, SAP NetWeaver and ABAP Platform

Security Advisory

_{Related note}
3165801

_CVSS
6.5

_{Affected system
type}
ABAP

_Patchday
2022-05

_{Released
on}
2022/05/10

Description
[CVE-2022-29611] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform

Security Advisory

_{Related note}
3143161

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2022-05

_{Released
on}
2022/05/10

Description
Missing Authorization check for UI5 flexibility key user functionality

Security Advisory

_{Related note}
3145046

_CVSS
8.3

_{Affected system
type}
Kernel

_Patchday
2022-05

_{Released
on}
2022/05/10

Description
[CVE-2022-27656] Cross-Site Scripting (XSS) vulnerability in administration UI of SAP Webdispatcher and SAP Netweaver AS for ABAP and Java (ICM)

Security Advisory

_{Related note}
3158188

_CVSS
5.3

_{Affected system
type}
SAP Host Agent

_Patchday
2022-05

_{Released
on}
2022/05/10

Description
[CVE-2022-28774] Information Disclosure vulnerability in SAP Host Agent logfile

Security Advisory

_{Related note}
3164677

_CVSS
6.5

_{Affected system
type}
ABAP

_Patchday
2022-05

_{Released
on}
2022/05/10

Description
[CVE-2022-29613] Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request)

Security Advisory

_{Related note}
3189409

_CVSS
9.8

_{Affected system
type}
SAP Business One Cloud

_Patchday
2022-05

_{Released
on}
2022/05/10

Description
[CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in in SAP Business One Cloud

Security Advisory

_{Related note}
3158613

_CVSS
9.1

_{Affected system
type}
Java

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
Update 1 to Security Note 3022622 - [CVE-2021-21480] Code injection vulnerability in SAP Manufacturing Integration and Intelligence

Security Advisory

_{Related note}
3145769

_CVSS
5.3

_{Affected system
type}
BI/BO platform

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-27667] Information Disclosure vulnerability in CMC

Security Advisory

_{Related note}
3132633

_CVSS
5.4

_{Affected system
type}
SAP GUI / Frontend

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
Information Disclosure vulnerability in SAP GUI for Windows

Security Advisory

_{Related note}
3165333

_CVSS
4.7

_{Affected system
type}
ABAP

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform

Security Advisory

_{Related note}
3130497

_CVSS
8.2

_{Affected system
type}
BI/BO platform

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-27671] CSRF token visible in one of the URL in SAP Business Intelligence Platform.

Security Advisory

_{Related note}
3148377

_CVSS
6.5

_{Affected system
type}
Java

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-28217] Missing XML Validation vulnerability in SAP NW EP WPC

Security Advisory

_{Related note}
3055044

_CVSS
5.4

_{Affected system
type}
BI/BO platform

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-28213] Missing XML Validation vulnerability in SAP BusinessObjects Business Intelligence Platform (dswsbobje - SOAP Web services)

Security Advisory

_{Related note}
3137191

_CVSS
6.8

_{Affected system
type}
BI/BO platform

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-22541] Information Disclosure vulnerability in SAP BusinessObjects Platform

Security Advisory

_{Related note}
3163583

_CVSS
6.1

_{Affected system
type}
Java

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-26105] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal

Security Advisory

_{Related note}
3148094

_CVSS
6.5

_{Affected system
type}
Sybase

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-27670] Denial of service (DOS) in SQL Anywhere

Security Advisory

_{Related note}
3189429

_CVSS
9.8

_{Affected system
type}
Java

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in PowerDesigner Web (up to including 16.7 SP05 PL01)

Security Advisory

_{Related note}
3155609

_CVSS
7.0

_{Affected system
type}
SAP Commerce

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
Privilege escalation vulnerability in Apache Tomcat server component of SAP Commerce

Security Advisory

_{Related note}
3189428

_CVSS
9.8

_{Affected system
type}
SAP HANA Platform

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP HANA Extended Application Services

Security Advisory

_{Related note}
3165856

_CVSS
4.3

_{Affected system
type}
SAP Innovation Management

_Patchday
2022-04

_{Released
on}
2022/03/28

Description
[CVE-2022-27658] Missing authorization check in SAP Innovation Management

Security Advisory

_{Related note}
3150845

_CVSS
4.3

_{Affected system
type}
BI/BO platform

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-28216] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI Workspace)

Security Advisory

_{Related note}
3138299

_CVSS
4.1

_{Affected system
type}
Adobe LiveCycle Designer

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2021-44832] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0)

Security Advisory

_{Related note}
3111293

_CVSS
4.9

_{Affected system
type}
Kernel

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-28773] Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager)

Security Advisory

_{Related note}
3170990

_CVSS
9.8

_{Affected system
type}
Any

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-22965] Central Security Note for Remote Code Execution vulnerability associated with Spring Framework

Security Advisory

_{Related note}
3187290

_CVSS
9.8

_{Affected system
type}
SAP Customer Checkout

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Customer Checkout

Security Advisory

_{Related note}
3126557

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-28770] Cross-Site Scripting (XSS) vulnerability in SAPUI5 (vbm library)

Security Advisory

_{Related note}
3101986

_CVSS
4.1

_{Affected system
type}
ABAP

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
Enable CSP support for OP1909 in SAP CRM WebClient UI

Security Advisory

_{Related note}
3189635

_CVSS
9.8

_{Affected system
type}
SAP Customer...

_Patchday
2022-04

_{Released
on}
2022/04/14

Description
[CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Customer Profitability Analytics

Security Advisory

_{Related note}
3111311

_CVSS
7.5

_{Affected system
type}
Kernel

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-28772]Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager)

Security Advisory

_{Related note}
3163703

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
Multiple Vulnerabilities in URI.js bundled with SAPUI5

Security Advisory

_{Related note}
3171258

_CVSS
9.8

_{Affected system
type}
SAP Commerce

_Patchday
2022-04

_{Released
on}
2022/04/18

Description
[CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Commerce

Security Advisory

_{Related note}
3159091

_CVSS
2.7

_{Affected system
type}
SAP Solution Manager...

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-27657] Directory Traversal vulnerability in SAP Focused Run (Simple Diagnostics Agent 1.0)

Security Advisory

_{Related note}
3152442

_CVSS
5.3

_{Affected system
type}
Java

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[CVE-2022-27669] Missing Authentication check in XML Data Archiving Service

Security Advisory

_{Related note}
3143437

_CVSS
6.5

_{Affected system
type}
SAP 3D Visual Enterprise

_Patchday
2022-04

_{Released
on}
2022/04/12

Description
[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer

Security Advisory

_{Related note}
3147283

_CVSS
5.4

_{Affected system
type}
SAP Solution Manager...

_Patchday
2022-03

_{Released
on}
2022/03/08

Description
[CVE-2022-24399] Cross-Site Scripting (XSS) vulnerability in SAP Focused Run (Real User Monitoring)

Security Advisory

_{Related note}
3146261

_CVSS
6.1

_{Affected system
type}
Java

_Patchday
2022-03

_{Released
on}
2022/03/08

Description
[CVE-2022-24395] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal

Security Advisory

_{Related note}
3149805

_CVSS
8.1

_{Affected system
type}
ABAP

_Patchday
2022-03

_{Released
on}
2022/03/08

Description
[CVE-2022-26101] Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad

Security Advisory

_{Related note}
3144941

_CVSS
5.4

_{Affected system
type}
SAP Financial Consolidation

_Patchday
2022-03

_{Released
on}
2022/03/08

Description
[CVE-2022-26104] Missing Authorization check in SAP Financial Consolidation

Security Advisory

_{Related note}
3145987

_CVSS
9.3

_{Affected system
type}
SAP Solution Manager...

_Patchday
2022-03

_{Released
on}
2022/03/08

Description
[CVE-2022-24396] Missing Authentication check in SAP Focused Run (Simple Diagnostics Agent 1.0)

Security Advisory

_{Related note}
3154684

_CVSS
10.0

_{Affected system
type}
SAP Work Manager

_Patchday
2022-03

_{Released
on}
2022/03/08

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Work Manager

Security Advisory

_{Related note}
3145997

_CVSS
5.4

_{Affected system
type}
ABAP

_Patchday
2022-03

_{Released
on}
2022/03/08

Description
[CVE-2022-26102] Missing authorization check in SAP NetWeaver Application Server for ABAP

Security Advisory

_{Related note}
3132360

_CVSS
3.7

_{Affected system
type}
Java

_Patchday
2022-03

_{Released
on}
2022/03/08

Description
[CVE-2022-26103] Information Disclosure vulnerability in SAP NetWeaver(Real Time Messaging Framework)

Security Advisory

_{Related note}
3103424

_CVSS
5.0

_{Affected system
type}
BI/BO platform

_Patchday
2022-03

_{Released
on}
2022/03/08

Description
[CVE-2022-24398] Information Disclosure vulnerability in SAP Business Objects Business Intelligence Platform

Security Advisory

_{Related note}
3147102

_CVSS
5.3

_{Affected system
type}
SAP Solution Manager...

_Patchday
2022-03

_{Released
on}
2022/03/08

Description
[CVE-2022-22547] Information Disclosure vulnerability in SAP Focused Run (Simple Diagnostics Agent 1.0)

Security Advisory

_{Related note}
3146260

_CVSS
6.1

_{Affected system
type}
Java

_Patchday
2022-03

_{Released
on}
2022/03/08

Description
[CVE-2022-24397] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal

Security Advisory

_{Related note}
3104349

_CVSS
3.3

_{Affected system
type}
ABAP

_Patchday
2022-03

_{Released
on}
2022/03/22

Description
Missing authorization check in S/4HANA finance for advanced payment management

Security Advisory

_{Related note}
1753378

_CVSS
5.3

_{Affected system
type}
Java

_Patchday
2022-03

_{Released
on}
2013/08/13

Description
Directory traversal in Web Container

Security Advisory

_{Related note}
3111110

_CVSS
4.8

_{Affected system
type}
SAPCAR

_Patchday
2022-03

_{Released
on}
2022/03/08

Description
[CVE-2022-26100] Denial of service (DOS) in SAPCAR

Security Advisory

_{Related note}
3116223

_CVSS
3.7

_{Affected system
type}
Kernel

_Patchday
2022-02

_{Released
on}
2022/02/08

Description
[CVE-2022-22543] Denial of service (DOS) in SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel)

Security Advisory

_{Related note}
3139893

_CVSS
10.0

_{Affected system
type}
None

_Patchday
2022-02

_{Released
on}
2022/02/08

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Dynamic Authorization Management

Security Advisory

_{Related note}
3123396

_CVSS
10.0

_{Affected system
type}
Kernel

_Patchday
2022-02

_{Released
on}
2022/02/08

Description
[CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher

Security Advisory

_{Related note}
3128473

_CVSS
4.9

_{Affected system
type}
ABAP

_Patchday
2022-02

_{Released
on}
2022/02/08

Description
[CVE-2022-22545] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform

Security Advisory

_{Related note}
3140587

_CVSS
7.1

_{Affected system
type}
ABAP

_Patchday
2022-02

_{Released
on}
2022/02/08

Description
[CVE-2022-22540] SQL Injection vulnerability in SAP NetWeaver AS ABAP (Workplace Server)

Security Advisory

_{Related note}
3142773

_CVSS
10.0

_{Affected system
type}
SAP Commerce

_Patchday
2022-02

_{Released
on}
2022/02/08

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Commerce

Security Advisory

_{Related note}
3126489

_CVSS
6.5

_{Affected system
type}
ABAP

_Patchday
2022-02

_{Released
on}
2022/02/08

Description
[CVE-2022-22535] Missing Authorization check in SAP ERP HCM

Security Advisory

_{Related note}
3124994

_CVSS
4.7

_{Affected system
type}
ABAP

_Patchday
2022-02

_{Released
on}
2022/02/08

Description
[CVE-2022-22534] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver

Security Advisory

_{Related note}
2531036

_CVSS
6.3

_{Affected system
type}
ABAP

_Patchday
2022-02

_{Released
on}
2019/04/09

Description
Switchable Authorization checks for RFC BCA_DIM_RESET_TRIGGER_TABLE in Loans (FI-CAX-FS)

Security Advisory

_{Related note}
3130920

_CVSS
10.0

_{Affected system
type}
SAP Data Intelligence

_Patchday
2022-02

_{Released
on}
2022/01/18

Description
Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Data Intelligence 3 (on-premise)

Security Advisory

_{Related note}
3134684

_CVSS
4.3

_{Affected system
type}
SAP 3D Visual Enterprise

_Patchday
2022-02

_{Released
on}
2022/02/08

Description
[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer

Security Advisory

_{Related note}
3107196

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2022-02

_{Released
on}
2022/01/25

Description
Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver AS ABAP within Web Dynpro ABAP

Security Advisory

_{Related note}
3140564

_CVSS
5.6

_{Affected system
type}
SAP Adaptive Server...

_Patchday
2022-02

_{Released
on}
2022/02/08

Description
[CVE-2022-22528] Information Disclosure in SAP Adaptive Server Enterprise

Security Advisory

_{Related note}
3126748

_CVSS
5.4

_{Affected system
type}
BI/BO platform

_Patchday
2022-02

_{Released
on}
2022/02/08

Description
[CVE-2022-22546] XSS vulnerability in SAP Business Objects Web Intelligence (BI Launchpad)

Security Advisory

_{Related note}
3123427

_CVSS
8.1

_{Affected system
type}
Kernel

_Patchday
2022-02

_{Released
on}
2022/02/08

Description
[CVE-2022-22532] HTTP Request Smuggling in SAP NetWeaver Application Server Java

Security Advisory

_{Related note}
3140940

_CVSS
9.1

_{Affected system
type}
Java

_Patchday
2022-02

_{Released
on}
2022/02/08

Description
[CVE-2022-22544] Missing segregation of duties in SAP Solution Manager Diagnostics Root Cause Analysis Tools

Security Advisory

_{Related note}
3142092

_CVSS
6.5

_{Affected system
type}
ABAP

_Patchday
2022-02

_{Released
on}
2022/02/08

Description
[CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer)

Security Advisory

_{Related note}
3106528

_CVSS
6.5

_{Affected system
type}
SAP Business One

_Patchday
2022-01

_{Released
on}
2022/01/11

Description
[CVE-2021-44234] Information Disclosure vulnerability in SAP Business One

Security Advisory

_{Related note}
3136094

_CVSS
10.0

_{Affected system
type}
SAP Digital...

_Patchday
2022-01

_{Released
on}
2022/01/11

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Digital Manufacturing Cloud for Edge Computing

Security Advisory

_{Related note}
3134139

_CVSS
10.0

_{Affected system
type}
SAP Enterprise...

_Patchday
2022-01

_{Released
on}
2022/01/11

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j2 component used in SAP Enterprise Continuous Testing by Tricentis

Security Advisory

_{Related note}
3134531

_CVSS
7.5

_{Affected system
type}
SAP HANA Platform

_Patchday
2022-01

_{Released
on}
2021/12/24

Description
[CVE-2021-44228] Denial of Service vulnerability associated with Apache Log4j component used in XSA Cockpit

Security Advisory

_{Related note}
3131740

_CVSS
9.8

_{Affected system
type}
SAP Business One

_Patchday
2022-01

_{Released
on}
2022/01/11

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Business One

Security Advisory

_{Related note}
3132058

_CVSS
10.0

_{Affected system
type}
SAP IoT

_Patchday
2022-01

_{Released
on}
2022/01/11

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Cloud-to-Cloud Interoperability

Security Advisory

_{Related note}
3112710

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2022-01

_{Released
on}
2022/01/11

Description
[CVE-2021-42067] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform

Security Advisory

_{Related note}
3112928

_CVSS
8.7

_{Affected system
type}
ABAP

_Patchday
2022-01

_{Released
on}
2022/01/11

Description
[CVE-2022-22531] Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA

Security Advisory

_{Related note}
3131691

_CVSS
5.5

_{Affected system
type}
Adobe LiveCycle Designer

_Patchday
2022-01

_{Released
on}
2021/12/30

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0)

Security Advisory

_{Related note}
3135581

_CVSS
6.6

_{Affected system
type}
Java

_Patchday
2022-01

_{Released
on}
2022/01/11

Description
Update 3 to Security Note 3130521: [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Java Web Service Adapter of SAP NetWeaver Process Integration

Security Advisory

_{Related note}
3136988

_CVSS
10.0

_{Affected system
type}
SAP IoT

_Patchday
2022-01

_{Released
on}
2022/01/11

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Reference Template for enabling ingestion and persistence of time series data in Azure

Security Advisory

_{Related note}
3133005

_CVSS
5.3

_{Affected system
type}
Java

_Patchday
2022-01

_{Released
on}
2021/12/28

Description
Update 2 to Security Note 3130521: [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Java Web Service Adapter of SAP NetWeaver Process Integration

Security Advisory

_{Related note}
3132177

_CVSS
10.0

_{Affected system
type}
SAP Localization Hub

_Patchday
2022-01

_{Released
on}
2021/12/22

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Localization Hub, digital compliance service for India

Security Advisory

_{Related note}
3124597

_CVSS
6.1

_{Affected system
type}
SAP Enterprise Threat...

_Patchday
2022-01

_{Released
on}
2022/01/11

Description
[CVE-2022-22529] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Threat Detection

Security Advisory

_{Related note}
3101299

_CVSS
6.6

_{Affected system
type}
SAP Business One

_Patchday
2022-01

_{Released
on}
2021/12/14

Description
[CVE-2021-42066] Information Disclosure vulnerability in SAP Business One

Security Advisory

_{Related note}
3132515

_CVSS
10.0

_{Affected system
type}
SAP Edge Services

_Patchday
2022-01

_{Released
on}
2021/12/30

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Edge Services Cloud Edition

Security Advisory

_{Related note}
3132198

_CVSS
9.8

_{Affected system
type}
SAP Landscape...

_Patchday
2021-12

_{Released
on}
2021/12/20

Description
[CVE-2019-17571] Code Injection vulnerability in SAP Landscape Management

Security Advisory

_{Related note}
3131824

_CVSS
8.0

_{Affected system
type}
SAP Connected Health platform

_Patchday
2021-12

_{Released
on}
2021/12/20

Description
[CVE-2021-44228] Log4j Vulnerability in Connected Health Platform 2.0 - Fhirserver

Security Advisory

_{Related note}
3132074

_CVSS
8.0

_{Affected system
type}
SAP Cloud for Customer

_Patchday
2021-12

_{Released
on}
2021/12/23

Description
[CVE-2021-44228] Code Injection vulnerability in Cloud for Customer Lotus Notes PlugIn

Security Advisory

_{Related note}
3102769

_CVSS
8.8

_{Affected system
type}
Java

_Patchday
2021-12

_{Released
on}
2021/12/14

Description
[CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse

Security Advisory

_{Related note}
3131047

_CVSS
10.0

_{Affected system
type}
Any

_Patchday
2021-12

_{Released
on}
2021/12/15

Description
[CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component

Security Advisory

_{Related note}
3132162

_CVSS
10.0

_{Affected system
type}
SAP API Management

_Patchday
2021-12

_{Released
on}
2021/12/24

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP API Management (Tenant Cloning Tool)

Security Advisory

_{Related note}
3132964

_CVSS
10.0

_{Affected system
type}
SAP Enable Now

_Patchday
2021-12

_{Released
on}
2021/12/23

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Enable Now Manager

Security Advisory

_{Related note}
3080816

_CVSS
2.4

_{Affected system
type}
ABAP

_Patchday
2021-12

_{Released
on}
2021/12/14

Description
[CVE-2021-44233] Missing Authorization check in GRC Access Control

Security Advisory

_{Related note}
3131258

_CVSS
10.0

_{Affected system
type}
SAP HANA Platform

_Patchday
2021-12

_{Released
on}
2021/12/16

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP HANA XSA

Security Advisory

_{Related note}
3131397

_CVSS
10.0

_{Affected system
type}
SAP HANA Platform

_Patchday
2021-12

_{Released
on}
2021/12/17

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit

Security Advisory

_{Related note}
2460948

_CVSS
5.3

_{Affected system
type}
ABAP

_Patchday
2021-12

_{Released
on}
2021/11/23

Description
Missing Authorization Check in Vehicle Management System

Security Advisory

_{Related note}
3130578

_CVSS
10.0

_{Affected system
type}
SAP BTP Cloud Foundry runtime

_Patchday
2021-12

_{Released
on}
2021/12/21

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Cloud Foundry

Security Advisory

_{Related note}
3132909

_CVSS
10.0

_{Affected system
type}
SAP Edge Services

_Patchday
2021-12

_{Released
on}
2021/12/24

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Edge Services On Premise Edition

Security Advisory

_{Related note}
3132204

_CVSS
3.1

_{Affected system
type}
Java

_Patchday
2021-12

_{Released
on}
2021/12/16

Description
Update 1 to Security Note 3130521: [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Java Web Service Adapter of SAP NetWeaver Process Integration

Security Advisory

_{Related note}
3132822

_CVSS
9.0

_{Affected system
type}
SAP HANA Platform

_Patchday
2021-12

_{Released
on}
2021/12/21

Description
Update 1 to Security Note 3131397 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit

Security Advisory

_{Related note}
3132744

_CVSS
10.0

_{Affected system
type}
SAP BTP Kyma runtime

_Patchday
2021-12

_{Released
on}
2021/12/21

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Kyma

Security Advisory

_{Related note}
3123196

_CVSS
8.4

_{Affected system
type}
ABAP

_Patchday
2021-12

_{Released
on}
2021/12/14

Description
[CVE-2021-44235] Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP

Security Advisory

_{Related note}
3051005

_CVSS
3.5

_{Affected system
type}
SAP UI5

_Patchday
2021-12

_{Released
on}
2021/12/14

Description
Cross-Site Scripting (XSS) Vulnerability in SAP Fiori Launchpad

Security Advisory

_{Related note}
3103677

_CVSS
4.1

_{Affected system
type}
BI/BO platform

_Patchday
2021-12

_{Released
on}
2021/12/14

Description
[CVE-2021-42061] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform (Web Intelligence)

Security Advisory

_{Related note}
2484231

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2021-12

_{Released
on}
2021/12/14

Description
Missing Authorization Check in DIMP Industry Solution (Equipment and Tools Management & Bills of Services)

Security Advisory

_{Related note}
3124094

_CVSS
7.7

_{Affected system
type}
ABAP

_Patchday
2021-12

_{Released
on}
2021/12/14

Description
[CVE-2021-44232] Directory Traversal vulnerability in SAF-T Framework

Security Advisory

_{Related note}
3113593

_CVSS
7.5

_{Affected system
type}
SAP Commerce

_Patchday
2021-12

_{Released
on}
2021/12/14

Description
Denial of service (DOS) in SAP Commerce

Security Advisory

_{Related note}
3121165

_CVSS
4.3

_{Affected system
type}
SAP 3D Visual Enterprise

_Patchday
2021-12

_{Released
on}
2021/12/14

Description
[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer

Security Advisory

_{Related note}
3130521

_CVSS
9.9

_{Affected system
type}
Java

_Patchday
2021-12

_{Released
on}
2021/12/16

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Java Web Service Adapter of SAP NetWeaver Process Integration

Security Advisory

_{Related note}
3109577

_CVSS
9.9

_{Affected system
type}
SAP Commerce

_Patchday
2021-12

_{Released
on}
2021/12/14

Description
Code Execution vulnerability in SAP Commerce, localization for China

Security Advisory

_{Related note}
2661033

_CVSS
6.3

_{Affected system
type}
ABAP

_Patchday
2021-12

_{Released
on}
2021/11/23

Description
Missing Authorization check in RFC enabled function modules in SRM

Security Advisory

_{Related note}
3119365

_CVSS
9.9

_{Affected system
type}
ABAP

_Patchday
2021-12

_{Released
on}
2021/12/14

Description
[CVE-2021-44231] Code Injection vulnerability in SAP ABAP Server & ABAP Platform (Translation Tools)

Security Advisory

_{Related note}
3132922

_CVSS
10.0

_{Affected system
type}
SAP Edge Services

_Patchday
2021-12

_{Released
on}
2021/12/21

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Internet of Things Edge Platform

Security Advisory

_{Related note}
3107332

_CVSS
6.6

_{Affected system
type}
SAP Landscape Management

_Patchday
2021-12

_{Released
on}
2021/12/14

Description
Missing Authorization Check in SAP Landscape Management

Security Advisory

_{Related note}
3114134

_CVSS
8.8

_{Affected system
type}
SAP Commerce

_Patchday
2021-12

_{Released
on}
2021/12/14

Description
[CVE-2021-42064] SQL Injection vulnerability in SAP Commerce

Security Advisory

_{Related note}
3133772

_CVSS
10.0

_{Affected system
type}
SAP Customer Checkout

_Patchday
2021-12

_{Released
on}
2021/12/22

Description
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Customer Checkout

Security Advisory

_{Related note}
3099776

_CVSS
9.6

_{Affected system
type}
Kernel

_Patchday
2021-11

_{Released
on}
2021/11/09

Description
[CVE-2021-40501] Missing Authorization check in ABAP Platform Kernel

Security Advisory

_{Related note}
2827086

_CVSS
7.9

_{Affected system
type}
SAP FRP

_Patchday
2021-11

_{Released
on}
2021/11/09

Description
Several security vulnerabilities in FRP 5.4.0 and FR Engine 5.4.0

Security Advisory

_{Related note}
3106859

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2021-11

_{Released
on}
2021/11/09

Description
URL Redirection vulnerability in Offer Management

Security Advisory

_{Related note}
2607126

_CVSS
6.3

_{Affected system
type}
Java

_Patchday
2021-11

_{Released
on}
2021/11/09

Description
Cross-Site Request Forgery vulnerability in Enterprise Services Repository of SAP Process Integration

Security Advisory

_{Related note}
3104456

_CVSS
6.5

_{Affected system
type}
ABAP

_Patchday
2021-11

_{Released
on}
2021/11/09

Description
[CVE-2021-42062] Missing Authorization check in SAP ERP HCM

Security Advisory

_{Related note}
3105728

_CVSS
4.9

_{Affected system
type}
ABAP

_Patchday
2021-11

_{Released
on}
2021/11/09

Description
[CVE-2021-40504] Leverage of Permission in SAP NetWeaver Application Server for ABAP and ABAP Platform

Security Advisory

_{Related note}
3110328

_CVSS
8.3

_{Affected system
type}
SAP Commerce

_Patchday
2021-11

_{Released
on}
2021/11/09

Description
[CVE-2021-40502] Missing Authorization check in SAP Commerce

Security Advisory

_{Related note}
3080106

_CVSS
6.8

_{Affected system
type}
SAP GUI / Frontend

_Patchday
2021-11

_{Released
on}
2021/11/09

Description
[CVE-2021-40503] Information Disclosure in SAP GUI for Windows

Security Advisory

_{Related note}
2988956

_CVSS
5.4

_{Affected system
type}
ABAP

_Patchday
2021-10

_{Released
on}
2021/09/28

Description
Cross-Site Request Forgery (CSRF) vulnerability in S/4HANA OP2020, OP1909 in Import Financial Plan Data

Security Advisory

_{Related note}
2655294

_CVSS
5.3

_{Affected system
type}
ABAP

_Patchday
2021-10

_{Released
on}
2021/10/12

Description
Missing Authorization check in SCM BAPIs

Security Advisory

_{Related note}
3055347

_CVSS
6.1

_{Affected system
type}
SAP UI5

_Patchday
2021-10

_{Released
on}
2021/10/12

Description
Cross-Site Scripting (XSS) vulnerability in SAPUI5

Security Advisory

_{Related note}
3084937

_CVSS
5.4

_{Affected system
type}
ABAP

_Patchday
2021-10

_{Released
on}
2021/10/12

Description
[CVE-2021-38183] Cross-Site Scripting (XSS) vulnerability in cms Service of SAP NetWeaver

Security Advisory

_{Related note}
3100882

_CVSS
6.4

_{Affected system
type}
SAP Cloud Print Manager

_Patchday
2021-10

_{Released
on}
2021/10/12

Description
[CVE-2021-40499] Code Injection vulnerability for SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint)

Security Advisory

_{Related note}
3074819

_CVSS
6.7

_{Affected system
type}
SAP Business One

_Patchday
2021-10

_{Released
on}
2021/10/12

Description
[CVE-2021-38179] Information Disclosure in SAP Business One

Security Advisory

_{Related note}
3077635

_CVSS
7.8

_{Affected system
type}
SAP Success Factors

_Patchday
2021-10

_{Released
on}
2021/10/12

Description
[CVE-2021-40498] Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices

Security Advisory

_{Related note}
3101406

_CVSS
9.8

_{Affected system
type}
Java

_Patchday
2021-10

_{Released
on}
2021/10/12

Description
Potential XML External Entity Injection Vulnerability in SAP Environmental Compliance

Security Advisory

_{Related note}
3099011

_CVSS
5.3

_{Affected system
type}
ABAP

_Patchday
2021-10

_{Released
on}
2021/10/12

Description
[CVE-2021-40495] Denial of Service (DOS) in SAP NetWeaver Application Server for ABAP and ABAP Platform

Security Advisory

_{Related note}
2988962

_CVSS
5.4

_{Affected system
type}
ABAP

_Patchday
2021-10

_{Released
on}
2021/09/28

Description
Cross-Site Request Forgery (CSRF) vulnerability for S/4HANA OP2020, OP1909 in Import Financial Plan Data

Security Advisory

_{Related note}
3074693

_CVSS
6.9

_{Affected system
type}
BI/BO platform

_Patchday
2021-10

_{Released
on}
2021/10/12

Description
[CVE-2021-40500] Missing XML Validation in SAP BusinessObjects Business Intelligence Platform (Crystal Reports)

Security Advisory

_{Related note}
3087254

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2021-10

_{Released
on}
2021/10/12

Description
[CVE-2021-40496] Improper Access Control in SAP NetWeaver AS ABAP and ABAP Platform

Security Advisory

_{Related note}
3079427

_CVSS
6.5

_{Affected system
type}
SAP Business One

_Patchday
2021-10

_{Released
on}
2021/10/12

Description
[CVE-2021-38180] CSV Injection in SAP Business One

Security Advisory

_{Related note}
3089438

_CVSS
9.1

_{Affected system
type}
ABAP

_Patchday
2021-10

_{Released
on}
2021/09/20

Description
Missing transaction start (AU3) entries in the Security Audit Log

Security Advisory

_{Related note}
3097887

_CVSS
9.1

_{Affected system
type}
ABAP

_Patchday
2021-10

_{Released
on}
2021/10/12

Description
[CVE-2021-38178] Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform

Security Advisory

_{Related note}
3080710

_CVSS
6.5

_{Affected system
type}
ABAP

_Patchday
2021-10

_{Released
on}
2021/10/12

Description
[CVE-2021-38181] Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform

Security Advisory

_{Related note}
3098917

_CVSS
4.3

_{Affected system
type}
BI/BO platform

_Patchday
2021-10

_{Released
on}
2021/10/12

Description
[CVE-2021-40497] Information Disclosure in SAP BusinessObjects Analysis (edition for OLAP)

Security Advisory

_{Related note}
2308378

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
Missing Authorization check in Financial Accounting

Security Advisory

_{Related note}
3084487

_CVSS
9.9

_{Affected system
type}
Java

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
[CVE-2021-38163] Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT)

Security Advisory

_{Related note}
3055180

_CVSS
5.4

_{Affected system
type}
BI/BO platform

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
[CVE-2021-33679] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI Workspace)

Security Advisory

_{Related note}
3069032

_CVSS
6.5

_{Affected system
type}
SAP Business One

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
[CVE-2021-33685] Directory Traversal vulnerability in SAP Business One

Security Advisory

_{Related note}
3089831

_CVSS
9.9

_{Affected system
type}
ABAP

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
[CVE-2021-38176] SQL Injection vulnerability in SAP NZDT Mapping Table Framework

Security Advisory

_{Related note}
3075546

_CVSS
4.3

_{Affected system
type}
SAP Business One

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
[CVE-2021-37532] Directory Listing Enabled in SAP Business One

Security Advisory

_{Related note}
3081888

_CVSS
9.9

_{Affected system
type}
Java

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
[CVE-2021-37531] Code Injection vulnerability in SAP NetWeaver Knowledge Management (XMLForms)

Security Advisory

_{Related note}
3068582

_CVSS
5.4

_{Affected system
type}
ABAP

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
[CVE-2021-38164] Missing Authorization check in in SAP ERP Financial Accounting / RFOPENPOSTING_FR

Security Advisory

_{Related note}
3070138

_CVSS
5.3

_{Affected system
type}
SAP Business One

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
[CVE-2021-33686] Information Disclosure in SAP Business One

Security Advisory

_{Related note}
3073891

_CVSS
9.6

_{Affected system
type}
BCM platform

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
[CVE-2021-33672] Multiple vulnerabilities in SAP Contact Center

Security Advisory

_{Related note}
3060621

_CVSS
6.1

_{Affected system
type}
SAP GUI / Frontend

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
[CVE-2021-38150] Information disclosure in SAP Business Client

Security Advisory

_{Related note}
3087791

_CVSS
4.3

_{Affected system
type}
SAP 3D Visual Enterprise

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
[CVE-2021-38174] Improper Input Validation in SAP 3D Visual Enterprise Viewer

Security Advisory

_{Related note}
3078609

_CVSS
10.0

_{Affected system
type}
Java

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
[CVE-2021-37535] Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service)

Security Advisory

_{Related note}
3082500

_CVSS
6.5

_{Affected system
type}
ABAP

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
[CVE-2021-38175] Information Disclosure in SAP Analysis for Microsoft Office

Security Advisory

_{Related note}
3069882

_CVSS
4.3

_{Affected system
type}
SAP Business One

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
[CVE-2021-33688] SQL Injection vulnerability in SAP Business One

Security Advisory

_{Related note}
3068337

_CVSS
3.5

_{Affected system
type}
ABAP

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
Reverse tabnabbing vulnerability in SAP Marketing Lead Nurture Stream

Security Advisory

_{Related note}
3051787

_CVSS
7.5

_{Affected system
type}
ABAP Java HANA platform

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
[CVE-2021-38177] Null Pointer Dereference vulnerability in SAP CommonCryptoLib

Security Advisory

_{Related note}
3082219

_CVSS
4.8

_{Affected system
type}
Java

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
[CVE-2021-21489] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal

Security Advisory

_{Related note}
3080567

_CVSS
8.9

_{Affected system
type}
Kernel

_Patchday
2021-09

_{Released
on}
2021/09/14

Description
[CVE-2021-38162] HTTP Request Smuggling in SAP Web Dispatcher

Security Advisory

_{Related note}
2675775

_CVSS
6.3

_{Affected system
type}
ABAP

_Patchday
2021-08

_{Released
on}
2021/08/10

Description
Switchable Authorization checks for RFC in CRM Middleware

Security Advisory

_{Related note}
3072920

_CVSS
8.3

_{Affected system
type}
Java

_Patchday
2021-08

_{Released
on}
2021/08/10

Description
[CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal

Security Advisory

_{Related note}
2659604

_CVSS
6.4

_{Affected system
type}
ABAP

_Patchday
2021-08

_{Released
on}
2021/07/27

Description
Cross-Site Scripting (XSS) Vulnerability in BSP application CRM_CM

Security Advisory

_{Related note}
3063048

_CVSS
4.7

_{Affected system
type}
BI/BO platform

_Patchday
2021-08

_{Released
on}
2021/08/10

Description
[CVE-2021-33697] Reverse Tabnabbing in SAP BusinessObjects Business Intelligence Platform (SAP UI5)

Security Advisory

_{Related note}
3073325

_CVSS
7.0

_{Affected system
type}
SAP Business One

_Patchday
2021-08

_{Released
on}
2021/08/10

Description
[CVE-2021-33700] Missing Authentication check in SAP Business One

Security Advisory

_{Related note}
3076399

_CVSS
6.1

_{Affected system
type}
Java

_Patchday
2021-08

_{Released
on}
2021/08/10

Description
[CVE-2021-33707] URL Redirection vulnerability in SAP NetWeaver (Knowledge Management)

Security Advisory

_{Related note}
3058553

_CVSS
6.8

_{Affected system
type}
SAP Cloud Connector

_Patchday
2021-08

_{Released
on}
2021/08/10

Description
[CVE-2021-33695] Multiple Vulnerabilities in SAP Cloud Connector

Security Advisory

_{Related note}
3057378

_CVSS
8.8

_{Affected system
type}
Kernel

_Patchday
2021-08

_{Released
on}
2021/08/10

Description
Missing Authentication check in SAP Web Dispatcher

Security Advisory

Notifications