- 186/2023
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple products. In addition, SAP also announced (3) updates to the previously released patch day security notes.
This month’s patch fixes several vulnerabilities affecting multiple SAP products such as SAP PowerDesigner, SAP ECC and SAP S/4HANA (IS-OIL), SAP Commerce, SAP NetWeaver (BI CONT ADD ON), SAP Business One, SAP BusinessObjects Business Intelligence (installer), SAP Message Server, SAP Supplier Relationship Management, and SAP Host Agent.
The attacker could exploit some of these vulnerabilities to gain access, execute arbitrary code, cause denial of service attacks, obtain information, or perform cross-site scripting on the affected products.
Sample of the addressed vulnerabilities:
1. SAP PowerDesigner SQL Injection Vulnerability (CVE-2023-37483):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Data Manipulation
2. SAP Commerce Cloud Improper Authentication Vulnerability (CVE-2023-39439):
- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Bypass Security
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.