Five Security Notes included in SAP Security Patch Day for May 2019 addressed missing authorization checks in SAP products, including Treasury and Risk Management, Solution Manager and ABAP managed systems, dbpool administration, and Enterprise Financial Services.
“Today, being the second Tuesday of the month, SAP released May’s Security Notes. This month, there are no critical or Hot
SAP also released five Security Notes to address information disclosure vulnerabilities in several products, including BusinessObjects and Solution Manager.
The Security Note is related to a privilege escalation issue (CVE-2019-0301) in SAP Identity Management REST Interface Version, this is the only Note rated as High priority, while the remaining 12 are rated Medium.
“Under certain conditions, it is possible to request the modification of
This is the most severe flaw, it received a CVSS score of 8.4.
Two flaws received a CVSS score of 6.3, they are an information disclosure in BusinessObjects business intelligence platform (CVE-2019-0287), and a missing authorization check in Treasury and Risk Management (CVE-2019-0280).
SAP published updates for Security Notes released in October 2009, September 2010, December 2010, and March 2013.
“A total of 11 Security Notes were published in May and an additional three in late April after last month’s Patch Tuesday, represented in these types: Missing Authorization Checks (the most common type of vulnerability in SAP software), Information Disclosure, Cross-Site Scripting (XSS) and Privilege Escalation.” adds Onapsis.