Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

SAP Patches High-Severity Vulnerabilities in Business One Product

German software maker SAP on Tuesday announced the release of 20 new security notes and three updates to previous security notes as part of its July 2022 Security Patch Day.

Of the new security notes, four deal with high-severity vulnerabilities, one impacting SAP BusinessObjects and three found in Business One.

German software maker SAP on Tuesday announced the release of 20 new security notes and three updates to previous security notes as part of its July 2022 Security Patch Day.

Of the new security notes, four deal with high-severity vulnerabilities, one impacting SAP BusinessObjects and three found in Business One.

The most severe of these issues is CVE-2022-35228 (CVSS score of 8.3), an information disclosure vulnerability in the central management console of the BusinessObjects Business Intelligence Platform.

The issue “allows an unauthenticated attacker to gain token information over the network,” but the attack “would require a legitimate user to access the application,” software security firm Onapsis explains.

The first of the high-severity bugs that impact Business One is an information disclosure flaw (CVE-2022-32249) that allows a highly privileged attacker to access sensitive information that can be used in subsequent attacks, such as credentials.

The second issue is a missing authorization check (CVE-2022-28771) that allows an unauthenticated attacker to break an application using malicious HTTP requests sent over the network.

The third bug in Business One is a code injection vulnerability (CVE-2022-31593) that allows a low privileged attacker to control application behavior.

A total of 17 security notes released on SAP’s July 2022 Security Patch Day address medium-severity vulnerabilities, the majority of which impact the NetWeaver Enterprise Portal and Business Objects.

SAP published six security notes that address cross-site scripting (XSS) vulnerabilities in the NetWeaver Enterprise Portal, all of them with a CVSS score of 6.1. Five other security notes address medium-severity issues in Business Objects.

The remaining medium-severity security notes deal with vulnerabilities in SAPS/4HANA, EA-DFPS, ABAP Platform, and Business One.

Related: SAP Patches High-Severity NetWeaver Vulnerabilities

Related: SAP Patches Spring4Shell Vulnerability in More Products

Related: Critical SAP Vulnerability Allows Supply Chain Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...