On 09.08.2022 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP GUI / Frontend.
SAP Note 3156484 addresses "Information Disclosure vulnerability in SAP Business Client" to prevent insufficient security function with a medium risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specificationDue to incorrect certificate validation, SAP Business Client allows an authenticated attacker to access information that would otherwise be restricted.
SAP Business Client can now be switched to a more strict mode, where no certificate errors are omitted.
- 6.7 [CVE-2022-35295] Privilege Escalation Vulnerability in SAPOSCOL on Unix
- 6.3 [CVE-2021-21472] Server password not set during installation of SAP NetWeaver Master Data Management 7.1
- 5.4 [CVE-2020-6178] Insufficient session expiration in SAP Enable Now Manager
- 3.8 [CVE-2020-6197] Insufficient session expiration in SAP Enable Now Manager
- 3.7 [CVE-2020-6363] Insufficient Session Expiration in SAP Commerce Cloud