SAP Security Notes, May 2023
Hot news note 3307833 patches a critical information disclosure vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) platform. The vulnerability can be exploited by authenticated threat actors with administrator privileges to compromise the login token of any logged-in BI user or server over the network. The login ticket can be used to access the platform with the credentials of the compromised user. The vulnerability impacts versions 4.2 and 4.3 of BOBJ.
Hot news note 3328495 addresses multiple vulnerabilities in SAP 3D Visual Enterprise License Manager. This includes code injection, broken authentication, and session hijacking. The vulnerabilities can be addressed by updating SAP 3D Visual Enterprise License Manager to version 15.0.1-sap2. A workaround is also included in the note as a temporary fix. The workaround will disable the vulnerable web interface for the solution.
Note 3326210 includes corrections to apply input validation for untrusted CSS in SAPUI5. Notes 3217303 and 3213507 patch high-risk information disclosure vulnerabilities in the CMC and Monitoring DB components of BOBJ, respectively.
Note 3301942 provides a fix to validate signatures of JSON Web Tokens in HTTP requests and remove a missing authentication vulnerability in SAP Digital Manufacturing.