Enterprise software maker SAP on Tuesday announced the release of 17 new and eight updated security notes as part of its August 2024 Security Patch Day.
Two of the new security notes are rated ‘hot news’, the highest priority rating in SAP’s book, as they address critical-severity vulnerabilities.
The first deals with a missing authentication check in the BusinessObjects Business Intelligence platform. Tracked as CVE-2024-41730 (CVSS score of 9.8), the flaw could be exploited to get a logon token using a REST endpoint, potentially leading to full system compromise.
The second hot news note addresses CVE-2024-29415 (CVSS score of 9.1), a server-side request forgery (SSRF) bug in the Node.js library used in Build Apps. According to SAP, all applications built using Build Apps should be re-built using version 4.11.130 or later of the software.
Four of the remaining security notes included in SAP’s August 2024 Security Patch Day, including an updated note, resolve high-severity vulnerabilities.
The new notes resolve an XML injection flaw in BEx Web Java Runtime Export Web Service, a prototype pollution bug in S/4 HANA (Manage Supply Protection), and an information disclosure issue in Commerce Cloud.
The updated note, initially released in June 2024, resolves a denial-of-service (DoS) vulnerability in NetWeaver AS Java (Meta Model Repository).
According to enterprise application security firm Onapsis, the Commerce Cloud security defect could lead to the disclosure of information via a set of vulnerable OCC API endpoints that allow information such as email addresses, passwords, phone numbers, and certain codes “to be included in the request URL as query or path parameters”.
“Since URL parameters are exposed in request logs, transmitting such confidential data through query parameters and path parameters is vulnerable to data leakage,” Onapsis explains.
The remaining 19 security notes that SAP announced on Tuesday address medium-severity vulnerabilities that could lead to information disclosure, escalation of privileges, code injection, and data deletion, among others.
Organizations are advised to review SAP’s security notes and apply the available patches and mitigations as soon as possible. Threat actors are known to have exploited vulnerabilities in SAP products for which patches have been released.
Related: SAP AI Core Vulnerabilities Allowed Service Takeover, Customer Data Access
Related: SAP Patches High-Severity Vulnerabilities in PDCE, Commerce
Related: SAP Patches High-Severity Vulnerabilities in Financial Consolidation, NetWeaver