On its patch day, SAP published a list of 19 new security gaps and related updates. This is also necessary because the list contains two critical vulnerabilities with CVSS scores of 9.9 out of 10 and three other critical vulnerabilities with CVSS 9.6 to 9.0.
As almost every month, it is worth taking a look at the SAP Patch Day Blog. The month of March 2023 again shows a large list of security gaps. Of the 19 listed vulnerabilities and the corresponding updates, according to the Common Vulnerability Scoring System - CVSS - 5 are classified as "Critical", 4 as "Highly Dangerous" and another 10 as "Medium Severe". Two of the vulnerabilities are considered particularly vulnerable with a CVSS value of 9.9.
5 critical vulnerabilities in SAP
- CVE-2023-25616, CVSS 9.9: Code injection vulnerability in SAP Business Objects Business Intelligence platform (CMC)
- CVE-2023-23857, CVSS 9.9: Invalid access control in SAP NetWeaver AS for Java
- CVE-2023-27269, CVSS 9.6: Directory traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP platform
- CVE-2023-27500, CVSS 9.6: Directory traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP platform (SAPRSBRO program)
- CVE-2023-25617, CVSS 9.0: Vulnerability in the execution of operating system commands in SAP Business Objects Business Intelligence Platform (Adaptive Job Server)
Another 4 security leaks are considered highly dangerous and should also be updated quickly: CVE-2023-27893, CVE-2023-27501, CVE-2023-26459 (incl. CVE-2023-25618), CVE-2023-27498. After all, their CVSS value is between 8.8 and 7.2. With the value 5.3 to 6.8 there are 10 more updates in the SAP list.
More at SAP.com