- 52/2024
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple products.
SAP has released a patch that fixes several vulnerabilities affecting multiple SAP products such as SAP ABA, SAP NetWeaver AS Java, SAP CRM WebClient UI, SAP IDES Systems, SAP Cloud Connector, SAP GUI, SAP Bank Account Management, SAP
Companion, SAP NetWeaver Application Server ABAP (SAP Kernel), SAP NWBC for HTML, SAP Fiori app (“My Overtime Requests”), SAP Master Data Governance Material, SAP CRM (WebClient UI) and SAP Master Data Governance.
The attacker could exploit some of these vulnerabilities to obtain sensitive information, perform directory traversal, perform cross-site scripting, or execute OS commands and manipulate data with an unknown input to the affected products.
Sample of the addressed vulnerabilities:
1. SAP ABA (Application Basis) Code Injection Vulnerability (CVE-2024-22131):
- CVSS: 9.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Data Manipulation
2. NetWeaver AS Java (User Admin Application) Cross Site Scripting Vulnerability (CVE-2024-22126):
- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Cross Site Scripting
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.