- 222/2024
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple products.
SAP has released a patch that fixes several vulnerabilities affecting multiple SAP products such as SAP BusinessObjects Business Intelligence Platform, SAP Build Apps, SAP BEx Web Java Runtime Export Web Service, SAP S/4 HANA, SAP NetWeaver AS Java, SAP Document Builder, SAP Business Warehouse, SAP CRM ABAP, SAP Student Life Cycle Management (SLcM), SAP Commerce Backoffice, SAP Replication Server.
The attacker could exploit some of these vulnerabilities to bypass security restrictions, obtain sensitive information, perform cross-site scripting attacks, perform server-side request forgery attacks, or gain elevated privileges to the affected products.
Sample of the addressed vulnerabilities:
1. SAP BusinessObjects Business Intelligence Platform Security Bypass Vulnerability (CVE-2024-41730):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
2. SAP BEx Web Java Runtime Export Web Service Information Disclosure Vulnerability (CVE-2024-42374):
- CVSS: 8.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Obtain Information
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.