- 198/2024
- High
SAP has released security updates to address several vulnerabilities affecting multiple SAP products.
SAP has released a patch that fixes several vulnerabilities affecting multiple SAP products such as SAP PDCE, SAP Commerce, SAP Landscape Management, SAP Document Builder, SAP NetWeaver Knowledge Management XMLEditor, CRM (WebClient UI), SAP Business Warehouse – Business Planning and Simulation, SAP S/4HANA Finance (Advanced Payment Management), SAP Business Workflow (WebFlow Services), SAP GUI for Windows, SAP Transportation Management (Collaboration Portal), SAP NetWeaver Application Server for ABAP and ABAP Platform.
The attacker could exploit some of these vulnerabilities to bypass security restrictions, obtain sensitive information, perform cross-site scripting attacks, or gain elevated privileges to the affected products.
Sample of the addressed vulnerabilities:
1. SAP PDCE Privilege Escalation Vulnerability (CVE-2024-39592):
- CVSS: 7.7
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Privileges
2. SAP Commerce Security Bypass Vulnerability (CVE-2024-39597):
- CVSS: 7.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.