- 329/2024
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple SAP products.
SAP has released a patch that fixes several vulnerabilities affecting multiple SAP products such as SAP NetWeaver AS for JAVA, SAP Web Dispatcher, SAP BusinessObjects Business Intelligence Platform, SAP NetWeaver Application Server (ABAP), SAP HCM, SAP Product Lifecycle Costing, SAP NetWeaver Administrator and SAP Commerce Cloud.
The attacker could exploit some of these vulnerabilities to bypass security restrictions, obtain sensitive information, manipulate data, or execute arbitrary code, and gain access to the affected systems.
Sample of the addressed vulnerabilities:
1. SAP NetWeaver AS for JAVA Server-Side Request Forgery Vulnerability (CVE-2024-47578):
- CVSS: 9.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Access
2. SAP NetWeaver Application Server ABAP through Remote Function Call (RFC) Information Disclosure Vulnerability (CVE-2024-54198):
- CVSS: 8.5
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Consequences: Obtain Information
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.