Child pages
  • SAP Security Patch Day – August 2021
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 10th of August 2021, SAP Security Patch Day saw the release of 14 Security Notes. There were 1 update to previously released Patch Day Security Note.

List of security notes released on August Patch Day:

Note#TitleSeverityCVSS
3071984[CVE-2021-33698] Unrestricted File Upload vulnerability in SAP Business One
Product - SAP Business One, Version - 10.0
Hot News9.9
3072955[CVE-2021-33690] Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service)
Product - SAP NetWeaver Development Infrastructure (Component Build Service), Versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Hot News9.9
3078312[CVE-2021-33701] SQL Injection vulnerability in SAP NZDT Row Count Reconciliation
Product - DMIS Mobile Plug-In, Versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020
Product - SAP S/4HANA, Versions - SAPSCORE 125, S4CORE 102, 102, 103, 104, 105
Hot News9.1
3073681[CVE-2021-33702] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
High8.3
3072920[CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal (Application Extensions), Versions - 7.30, 7.31, 7.40, 7.50
High8.3
3074844[CVE-2021-33705] Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
High8.1
3067219[CVE-2021-33699] Task Hijacking in SAP Fiori Client Native Mobile for Android
Product - SAP Fiori Client Native Mobile for Android, Version - 3.2
High7.6
3073325[CVE-2021-33700] Missing Authentication check in SAP Business One
Product - SAP Business One, Version - 10.0
High7
3073450[CVE-2021-33691] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Notification Service)
Product - SAP NetWeaver Development Infrastructure (Notification Service), Versions - 7.31, 7.40, 7.50
Medium6.9
3058553[CVE-2021-33695] Multiple Vulnerabilities in SAP Cloud Connector
Additional CVEs - CVE-2021-33694, CVE-2021-33693, CVE-2021-33692
Product - SAP Cloud Connector, Version - 2.0
Medium6.8
3078072[CVE-2021-33704] Missing Authorization Check in SAP Business One (Service Layer)
Product - SAP Business One, Version - 10.0
Medium6.3
3002517Update to Security Note release on June 2021 Patch Day:
[CVE-2021-21473]
Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT), Versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755  
Medium6.3
3076399[CVE-2021-33707] URL Redirection vulnerability in SAP NetWeaver (Knowledge Management)
Product - SAP NetWeaver (Knowledge Management), Versions - 7.30, 7.31, 7.40, 7.50
Medium6.1
3062085[CVE-2021-33696] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Crystal Report)
Product - SAP BusinessObjects Business Intelligence Platform (Crystal Report), Versions - 420, 430
Medium5.4
3063048[CVE-2021-33697] Reverse Tabnabbing in SAP BusinessObjects Business Intelligence Platform (SAP UI5)
Product - SAP BusinessObjects Business Intelligence Platform (SAPUI5), Versions - 420, 430
Medium4.7

________________________________________________________________________________

Vulnerability Type Distribution -  August 2021


#Multiple vulnerabilities on same product can be fixed by one security note. 


Security Notes vs Priority Distribution (March – August 2021)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published or updated after July 13, 2021, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'July 14, 2021 - August 10, 2021' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels