October 13, 2022

SAP Addressed 2 Critical Vulnerabilities Affecting Various Systems

SAP published 15 patches for various systems as part of the October 2022 SAP Security Patch Day, including fixes for two critical vulnerabilities.

The Critical Vulnerabilities

• CVE-2022-39802 (CVSS 3.1: 9.9, Critical) – File path traversal vulnerability in SAP Manufacturing Execution, allows an attacker to exploit insufficient validation of a file path request parameter which may lead to information disclosure.
• CVE-2022-41204 (CVSS 3.1: 9.6, Critical) – URL Redirection vulnerability in SAP Commerce login form, an attacker can inject code to modify the login page’s content and redirect submissions from the compromised login form to their own server by manipulating the URL.
  Allowing the attacker to obtain credentials and take control over accounts.

Affected Products

• SAP Manufacturing Execution – versions 15.1, 15.2, 15.3 (CVE-2022-39802).
• SAP Commerce, Versions -1905, 2005, 2105, 2011, 2205 (CVE-2022-41204).

Mitigation

CYREBRO recommends all affected customers to apply the SAP Manufacturing Execution and SAP Commerce patch as soon as possible.

Additionally, CYREBRO recommends all clients who use SAP to update their other SAP products that were fixed as part of Patch Tuesday.

References: SAP Advisory