CVE-2021-44235: SAP Security Patch Day - December 2021 - Product Security Response at SAP

Note#****Title****Priority****CVSS2622660**Update to Security Note released on Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product – SAP Business Client, Version – 6.5Hot News103109577Code Execution vulnerability in SAP Commerce, localization for China
**Related CVEs - CVE-2021-21341,CVE-2021-21342,CVE-2021-21349,CVE-2021-21343,CVE-2021-21344,CVE-2021-21346,CVE-2021-21347,CVE-2021-21350,CVE-2021-21351,CVE-2021-21345,CVE-2021-21348Product - SAP Commerce, localization for China, Version - 2001Hot News9.93119365[CVE-2021-44231] **Code Injection vulnerability in SAP ABAP Server & ABAP Platform (Translation Tools)
**Product - SAP ABAP Server & ABAP Platform (Translation Tools), Versions - 701, 740,750,751,752,753,754,755,756,804Hot News9.93089831

Update to Security Note released on September 2021 Patch Day:
[CVE-2021-38176] **SQL Injection vulnerability in SAP NZDT Mapping Table Framework
**Product - SAP S/4HANA, Versions - 1511, 1610, 1709, 1809, 1909, 2020, 2021
Product - SAP LT Replication Server, Versions - 2.0, 3.0
Product - SAP LTRS for S/4HANA, Version - 1.0
Product - SAP Test Data Migration Server, Version - 4.0
Product - SAP Landscape Transformation, Version - 2.0

Hot News9.93114134[CVE-2021-42064] **SQL Injection vulnerability in SAP Commerce
**Product - SAP Commerce, Versions - 1905, 2005, 2105, 2011High8.83102769[CVE-2021-42063] **Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse
**Product - SAP Knowledge Warehouse, Versions - 7.30, 7.31, 7.40, 7.50High8.83123196[CVE-2021-44235] **Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP
**Product - SAP NetWeaver AS ABAP, Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756High8.43077635[CVE-2021-40498] **Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices
**Product - SAP SuccessFactors Mobile Application (for Android devices), Versions - <2108 High7.83124094[CVE-2021-44232] **Directory Traversal vulnerability in SAF-T Framework
Product - SAF-T Framework, Versions - SAP_FIN 617, 618, 720, 730, SAP_APPL 600, 602, 603, 604, 605, 606, S4CORE 102, 103, 104, 105High7.73113593Denial of service (DOS) in SAP Commerce
**Related CVE - CVE-2021-37714
Product - SAP Commerce, Versions - 1905, 2005, 2105, 2011High7.53000663

**Update to Security Note released on July 2021 Patch Day:
**[CVE-2021-33683] **HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager
**Product - SAP Web Dispatcher and Internet Communication Manager, Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83

Medium5.43121165

[Multiple CVEs] **Improper Input Validation in SAP 3D Visual Enterprise Viewer
**CVEs - CVE-2021-42068,CVE-2021-42070, CVE-2021-42069, CVE-2021-42069
Product - SAP 3D Visual Enterprise Viewer, Version - 9

Medium4.32843016_Update to Security Note released on November 2019 Patch Day:_
[CVE-2019-0388] **Content spoofing vulnerability in UI5 HTTP Handler
**Product - SAP UI, Versions - 7.5, 7.51, 7.52, 7.53, 7.54
Product - SAP UI 700, Versions - 2.0Medium4.33103677[CVE-2021-42061] **Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform (Web Intelligence)
**Product - SAP BusinessObjects Business Intelligence Platform, Version - 420Medium4.13080816[CVE-2021-44233] **Missing Authorization check in GRC Access Control
**Product - SAP GRC Access Control, Versions - V1100_700, V1100_731, V1200_750Low2.4