- 113/2024
- High
- April 15, 2024
- 1:24 pm
SAP has released security updates to address several vulnerabilities affecting multiple SAP products.
SAP has released a patch that fixes several vulnerabilities affecting multiple SAP products such as SAP NetWeaver AS Java User Management Engine, SAP BusinessObjects Web Intelligence, AP Asset Accounting, SAP Edge Integration Cell, SAP NetWeaver AS ABAP and ABAP Platform, AP Group Reporting Data Collection, SAP Employee Self Service, SAP S/4HANA, SAP NetWeaver, and SAP Business Connector.
The attacker could exploit some of these vulnerabilities to perform cross-site scripting attacks, obtain sensitive information, conduct denial of service attacks, or gain elevated privileges to the affected products.
Sample of the addressed vulnerabilities:
1. SAP NetWeaver AS Java User Management Engine Information Disclosure (CVE-2024-27899):
- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Obtain Information
2. SAP Group Reporting Data Collection Privilege Escalation (CVE-2024-28167):
- CVSS: 6.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Privileges
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.