-
Non-Product Related Assistance
Request for existing cases, user IDs, Portal navigation support and more
SAP Security Patch Day – August 2024
This post shares information on Security Notes that remediates vulnerabilities discovered in SAP products. SAP strongly recommends that the customer applies patches on priority to protect their SAP landscape.
On 13th of August 2024, SAP Security Patch Day saw the release of 17 new Security Notes. Further, there were 8 updates to previously released Security Notes.
| Note# | Title | Priority | CVSS |
|---|---|---|---|
[CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform | Hot News | ||
[CVE-2024-29415] Server-Side Request Forgery vulnerability in applications built with SAP Build Apps | Hot News | ||
| 3485284 | [CVE-2024-42374] XML injection in SAP BEx Web Java Runtime Export Web Service Product- SAP BEx Web Java Runtime Export Web Service, Versions - BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, BIWEBAPP 7.5 | High | |
| 3423268 | [CVE-2023-30533] Prototype Pollution in SAP S/4 HANA (Manage Supply Protection) Product- SAP S/4 HANA, Library Versions - SheetJS CE < 0.19.3 | High | |
| 3460407 | Update to Security Note released on June 2024 Patch Day: [CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) Product- SAP NetWeaver AS Java, Version – MMR_SERVER 7.5 | High | |
| 3459935 | [CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud Product- SAP Commerce Cloud, Versions – HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, COM_CLOUD 2211 | High | |
| 3466801 | Update to Security Note released on July 2024 Patch Day: [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management Product- SAP Landscape Management, Version - VCM 3.00 | Medium | |
| 3495876 | [Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS) CVEs - CVE-2023-0215, CVE-2022-0778 , CVE-2023-0286 Product- SAP Replication Server, Versions – 16.0.3, 16.0.4 | Medium | |
| 3459379 | Update to Security Note released on June 2024 Patch Day: [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) | Medium | |
| 3474590 | [CVE-2024-42376] Multiple Missing Authorization Check vulnerabilities in SAP Shared Service Framework Additional CVE - CVE-2024-42377 Product- SAP Shared Service Framework, Versions – SAP_BS_FND 702, 731, 746, 747, 748 | Medium | |
| 3438085 | [CVE-2024-33005] Missing Authorization check in SAP NetWeaver Application Server (ABAP and Java), SAP Web Dispatcher and SAP Content Server Product- SAP NetWeaver Application Server (ABAP and Java), SAP Web Dispatcher and SAP Content Server, Versions – KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, WEBDISP 7.53, 7.77, 7.85, 7.22_EXT, 7.89, 7.54, 7.93, KERNEL 7.22, 7.53, 7.77, 7.85, 7.89, 7.54, 7.93 | Medium | |
| 3482217 | Update to Security Note released on July 2024 Patch Day: [CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse - Business Planning and Simulation | Medium | |
| 3465455 | Update to Security Note released on June 2024 Patch Day: [CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP | Medium | |
| 3483256 | [CVE-2024-41735] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice | Medium | |
[CVE-2024-41733] Information Disclosure Vulnerability in SAP Commerce | Medium | ||
| 3487537 | [CVE-2024-41737] Server-Side Request Forgery (SSRF) in SAP CRM ABAP (Insights Management) Product – SAP CRM ABAP (Insights Management), Versions – BBPCRM 700, 701, 702, 712, 713, 714 | Medium | |
| 3458789 | Update to Security Note released on July 2024 Patch Day: [CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services) | Medium | |
| 3468102 | [CVE-2024-41732] Improper Access Control in SAP Netweaver Application Server ABAP Product – SAP NetWeaver Application Server ABAP, Versions – SAP_UI 754, 755, 756, 757, 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 912 | Medium | |
| 3150704 | Update to Security Note released on January 2023 Patch Day: [CVE-2023-0023] Information Disclosure in SAP Bank Account Management (Manage Banks) | Medium | |
| 3433545 | [CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform Additional CVE - CVE-2024-28166, CVE-2024-41731 Product – SAP BusinessObjects Business Intelligence Platform, Versions – ENTERPRISE 420, 430, 440 | Medium | |
| 3475427 | [CVE-2024-41736] Information Disclosure vulnerability in SAP Permit to Work Product – SAP Permit to Work, Versions – UIS4HOP1 800, 900 | Medium | |
| 3477423 | [CVE-2024-39591] Missing Authorization check in SAP Document Builder | Medium | |
| 3479293 | [CVE-2024-42373] Missing Authorization Check in SAP Student Life Cycle Management (SLcM) | Medium | |
| 3494349 | [CVE-2024-41734] Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform | Medium | |
| 3454858 | Update to Security Note released on July 2024 Patch Day: [CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform | Medium | 4.1 |
To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.