{"id":9224,"date":"2023-07-12T10:07:41","date_gmt":"2023-07-12T08:07:41","guid":{"rendered":"https:\/\/www.inprosec.com\/?p=9224"},"modified":"2023-12-28T11:37:39","modified_gmt":"2023-12-28T09:37:39","slug":"sap-security-notes-july-2023","status":"publish","type":"post","link":"https:\/\/www.inprosec.com\/en\/sap-security-notes-july-2023\/","title":{"rendered":"SAP Security Notes, July 2023"},"content":{"rendered":"

Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.<\/strong><\/p>\n\n

July 2023 notes<\/h2>\n

Summary and highlights of the month<\/h3>\n

The total number of notes\/patches was 18, 5 more than last month. The number of Hot News increased from 0 to 2 this month. On the other hand, it is worth noting that the number of high criticality notes increases, going from 4 to 7. As usual we will leave the medium and low notes unreviewed this month, but we will give details of a total of 9 notes<\/strong> (all those with a CVSS of 7<\/span> or higher).<\/p>\n

We have a total of 18 notes <\/strong>for the whole month (the 18 from patch Tuesday, 16 new ones and 2 updates, that’s 5 more scores than last patch Tuesday).<\/p>\n

We will review in detail 9 of the total 9 high notes and HotNews, 1 of the 2 HotNews is new and 6 of 7 high notes would be new (those of CVSS greater than or equal to 7<\/span>).<\/p>\n

    \n
  1. The most critical note of the month (with CVSS 10<\/span>)<\/strong> is an update of the usual note related to “Google Chromium”.<\/li>\n
  2. The next most critical note (with CVSS 9.1<\/span>)<\/strong> is a HotNew related to “OS command injection vulnerability in SAP ECC and SAP S\/4HANA<\/strong>“.<\/li>\n
  3. The next criticality score (with CVSS 8.7<\/span><\/strong>) is related to “Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON)<\/strong>“.<\/li>\n
  4. The following note in criticality (with CVSS 8,6<\/span><\/strong>), “Request smuggling and request concatenation vulnerability in SAP Web Dispatcher<\/strong>“.<\/li>\n
  5. The following criticality note (with CVSS 8.2<\/span><\/strong>), is an update of a note published last June, related to “Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management)<\/strong>“.<\/li>\n
  6. The following criticality scores (with CVSS 7.8<\/span> and 7.7<\/span><\/strong>) are two high scores, one related to “Denial of service (DOS) vulnerability in SAP SQL Anywhere<\/strong>” and the other to “Memory Corruption vulnerability in SAP Web Dispatcher<\/strong>“.<\/li>\n
  7. The following criticality scores (with CVSS 7.2<\/span><\/strong>), are two high scores, one related to “Unauthenticated blind SSRF in SAP Solution Manager (Diagnostics agent) and the other to “Header Injection in SAP Solution Manager (Diagnostic Agent)<\/strong>“.<\/li>\n
  8. This month the most predominant type is “Injection vulnerability<\/strong>” (3\/18 in patch day).<\/li>\n<\/ol>\n

    In the graph (post July 2023 from SAP) we can see the ranking of the July notes<\/strong><\/span> in addition to the evolution and ranking of the last 5 previous months (only the notes of Sec. Tuesday \/ Patch Day – by SAP):<\/p>\n

    \"\"<\/p>\n

    Full details<\/h3>\n

    The complete detail of the most relevant notes<\/strong> is as follows:<\/p>\n