Connect with us

Hi, what are you looking for?



SAP’s First Patches of 2024 Resolve Critical Vulnerabilities

SAP has released patches for critical vulnerabilities in Business Application Studio, Web IDE, and Edge Integration Cell.

Enterprise software maker SAP this week announced the release of 10 new and two updated security notes as part of its first Security Patch Day of 2024.

Rated ‘hot news’, the highest rating in SAP’s notebook, two of the new and one of the updated security notes deal with critical-severity escalation of privilege vulnerabilities in several products, SAP explains in its advisory (PDF).

The first hot news security note resolves CVE-2023-49583, a security defect in Business Application Studio, Web IDE Full-Stack and Web IDE for SAP HANA.

The issue impacts SAP customers who created Node.js applications using the aforementioned SAP software, as these applications may rely on dependencies that use vulnerable versions of two SAP libraries, enterprise software security firm Onapsis explains.

SAP’s second hot news note addresses the same vulnerability, along with CVE-2023-50422, in Edge Integration Cell, a hybrid solution that comes with SAP Integration Suite to provide API integration and which relies on BTP Security Services Integration Libraries and Programming Infrastructures, Onapsis explains.

The third hot news security note is an update to a note released in December 2023 to resolve multiple escalation of privilege bugs in Business Technology Platform (BTP) Security Services Integration Libraries, including CVE-2023-49583 and CVE-2023-50422.

“The note was updated one day after December Patch Day with additional information in multiple text sections. Customers who already applied the patch are not affected,” Onapsis says.

SAP also resolved four high-severity vulnerabilities on its first Security Patch Day of 2024. The first is a code injection bug in Application Interface Framework (File Adapter) that could allow an attacker to execute OS commands.

Advertisement. Scroll to continue reading.

The second high-severity flaw is described as a denial-of-service (DoS) issue in Web Dispatcher and NetWeaver Application Server ABAP that could be exploited without authentication.  

Next in line is an information disclosure defect in the Microsoft Edge browser extension, while the fourth high-severity bug is an improper authorization check in LT Replication Server.

The five remaining security notes deal with four medium- and one low-severity vulnerability in S/4HANA Finance, NetWeaver AS for Java, NetWeaver ABAP Application Server and ABAP Platform, NetWeaver Internet Communication Manage, and Marketing.

SAP customers are advised to apply the patches as soon as possible. While the software maker makes no mention of any of these vulnerabilities being exploited in the wild, unpatched SAP applications are known to have been exploited in malicious attacks.

Related: SAP Patches Critical Vulnerability in Business Technology Platform

Related: SAP Patches Critical Vulnerability in Business One Product

Related: SAP Releases 7 New Notes on October 2023 Patch Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.