On 12.04.2022 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP Solution Manager & SAP Focused Run .
SAP Note 3159091 addresses "[CVE-2022-27657] Directory Traversal vulnerability in SAP Focused Run (Simple Diagnostics Agent 1.0)" to prevent directory traversal (read) with a low risk for exploitation.
A workaround does exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specificationSAP Focused Run (Simple Diagnostic Agent 1.0) allows an authenticated attacker to potentially read arbitrary files from the server, possibly disclosing confidential information.
The affected program has been updated to apply a strengthened path validation Circumstances exist that prevent the timely installation of a patch provided by the manufacturer. In such cases, you may consider applying the suggested workaround as a temporary or compensating mitigation: "Cross-site scripting/request forgery filter engine on IDS/IPS/firewall systems. ".
The advisory is valid for