SAP Patch Day Bulletin - 2024

SAP Security Patch Day – January 2024

This post shares information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes. Further, there were 2 updates to previously released Security Notes.

Note#TitleSeverityCVSS

3412456

[CVE-2023-49583] Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA 
Library- @sap/xssec, Versions – < 3.6.0 
Library- @sap/approuter, Versions – 14.4.2

Hot News

9.1

3413475

[Multiple CVEs] Escalation of Privileges in SAP Edge Integration Cell 
Related CVEs - CVE-2023-49583, CVE-2023-50422 
Product - SAP Edge Integration Cell, Versions >= 8.9.13

Hot News

9.1

 3411067

Update to Security Note released on December 2023 Patch Day:
[Multiple CVEs] Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries
CVEs - CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, CVE-2023-50424 
Library- @sap/xssec, Versions – < 3.6.0
Library- cloud-security-services-integration-library, Versions – < 2.17.0 & from 3.0.0 before 3.3.0
Library- sap-xssec, Versions – < 4.1.0
Library- github.com/sap/cloud-security-client-go, Versions - < 0.17.0 

 Hot News

 9.1

3411869

[CVE-2024-21737Code Injection vulnerability in SAP Application Interface Framework (File Adapter)
Product – SAP Application Interface Framework (File Adapter), Version – 702

High

8.4

3389917

[CVE-2023-44487Denial of service (DOS) in SAP Web Dispatcher, SAP NetWeaver Application server ABAP, and ABAP Platform
Product - SAP Web Dispatcher, Versions –  WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.85, WEBDISP 7.89, WEBDISP 7.90, WEBDISP 7.94, WEBDISP 7.95,
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - KRNL64UC 7.53, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.94, KERNEL 7.93, KERNEL 7.95

High

7.5

3386378

[CVE-2024-22125] Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge)
Product - Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge), Version - 1.0

High 

7.4

3407617

[CVE-2024-21735] Improper Authorization check in SAP LT Replication Server
Product - SAP LT Replication Server, Versions – S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108

High

7.3

3260667

[CVE-2024-21736Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management)
Product – SAP S/4HANA Finance (Advanced Payment Management), Version – SAPSCORE 128, S4CORE 10

Medium

6.4

 3324732

Update to Security Note released on July 2023 Patch Day:
[CVE-2023-31405] Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer)
Product - SAP NetWeaver AS for Java (Log Viewer), Version - ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50

 Medium

 5.3

3387737

[CVE-2024-21738Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Application Server and ABAP Platform
Product – SAP NetWeaver ABAP Application Server and ABAP Platform, Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 793, SAP_BASIS 79

Medium

4.1

3392626

[CVE-2024-22124] Information Disclosure vulnerability in SAP NetWeaver Internet Communication Manager
Product - SAP NetWeaver (Internet Communication Manager), Versions - KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22_EXT, WEBDISP 7.22_EXT, WEBDISP 7.53, WEBDISP 7.54

Medium

4.1

3190894

[CVE-2024-21734] URL Redirection vulnerability in SAP Marketing (Contacts App)
Product - SAP Marketing (Contacts App), Version – 160

Low

3.7

SAP Security Patch Day – February 2024

This post shares information on Security Notes that remediates vulnerabilities discovered in SAP products. SAP strongly recommends that the customer applies patches on priority to protect their SAP landscape.

On 13th of February 2024, SAP Security Patch Day saw the release of 13 new Security Notes. Further, there were 3 updates to previously released Security Notes.

Note#TitleSeverityCVSS

2622660

Update to Security Note released on April 2018 Patch Day: 
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Versions - 6.5, 7.0, 7.70		Hot News10.0
3420923[CVE-2024-22131] Code Injection vulnerability in SAP ABA (Application Basis) 
Product - SAP ABA (Application Basis), Versions - 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I		Hot News9.1
3417627[CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application) 
Product - SAP NetWeaver AS Java (User Admin Application), Version - 7.50		High8.8
3426111[CVE-2024-24743] XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures) 
Product - SAP NetWeaver AS Java (Guided Procedures), Version - 7.50		High8.6
3410875[CVE-2024-22130] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) 
Product - SAP CRM WebClient UI, Versions - S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801		High7.6
3421659[CVE-2024-22132] Code Injection vulnerability in SAP IDES Systems  
Product – IDES Systems, Versions – All version		High7.4
3424610[CVE-2024-25642] Improper Certificate Validation in SAP Cloud Connector 
Product – SAP Cloud Connector, Version - 2.0		High7.4
3385711Update to Security Note released on December 2023 Patch Day:
[CVE-2023-49580] Information disclosure vulnerability in SAP GUI for Windows and SAP GUI for Java
Product - SAP GUI for Windows and SAP GUI for Java, Versions – SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758		High7.3
2637727[CVE-2024-24739] Missing authorization check in SAP Bank Account Management 
Product – BAM (Bank Account Management), Versions – SAP_FIN 618, SAP_FIN 730, S4CORE 100, 101		Medium6.3
3404025[CVE-2024-22129] Cross-Site Scripting (XSS) vulnerability in SAP Companion 
Product - SAP Companion, Versions <3.1.38		Medium5.4
3360827[CVE-2024-24740] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (SAP Kernel) 
Product - SAP NetWeaver Application Server ABAP (SAP Kernel), Versions - KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53		Medium5.3
3396109[CVE-2024-22128] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Business Client for HTML 
Product - SAP NWBC for HTML, Versions – SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731		Medium4.7
3237638[CVE-2024-25643] Missing authorization check in SAP Fiori app ("My Overtime Requests") 
Product - SAP Fiori app ("My Overtime Requests"), Versions – 605		Medium4.3
2897391[CVE-2024-24741] Missing Authorization check in SAP Master Data Governance Material 
Product – SAP Master Data Governance Material, Versions – 618, 619, 620, 621, 622, 800, 801, 802, 803, 804		Medium4.3
3158455[CVE-2024-24742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) 
Product – SAP CRM (WebClient UI), Versions – S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801		Medium4.1
3363690Update to Security Note released on December 2023 Patch Day:
[CVE-2023-49058] Directory Traversal vulnerability in SAP Master Data Governance
Product - SAP Master Data Governance, Versions - MDG_FND 731, MDG_FND 732, MDG_FND 746, MDG_FND 747, MDG_FND 748, MDG_FND 749, MDG_FND 752, MDG_FND 800, MDG_FND 802, MDG_FND 803, MDG_FND 804, MDG_FND 805, MDG_FND 806, MDG_FND 807, MDG_FND 808, SAP_BS_FND 702		Low3.5

SAP Security Patch Day – March 2024

This post shares information on Security Notes that remediates vulnerabilities discovered in SAP products. SAP strongly recommends that the customer applies patches on priority to protect their SAP landscape.

On 12th of March 2024, SAP Security Patch Day saw the release of 10 new Security Notes. Further, there were 2 updates to previously released Security Notes.

 

Note#

Title

Priority

CVSS

2622660

Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Versions - 6.5, 7.0, 7.70

Hot News

10.0

3425274

[CVE-2019-10744] Code Injection vulnerability in applications built with SAP Build Apps

Product - SAP Build Apps, Versions < 4.9.145

Hot News 

9.4

3433192

[CVE-2024-22127] Code Injection vulnerability in SAP NetWeaver AS Java (Administrator Log Viewer plug-in)
Product - SAP NetWeaver AS Java (Administrator Log Viewer plug-in), Version - 7.50

Hot News 

9.1

3346500

Update to Security Note released on August 2023 Patch Day:

[CVE-2023-39439] Improper authentication in SAP Commerce Cloud
Product - SAP Commerce, Versions – HY_COM 2105, HY_COM 2205, COM_CLOUD 2211

High

8.8

3410615  

[CVE-2023-44487] Denial of service (DOS) in SAP HANA XS Classic and HANA XS Advanced
Product- SAP HANA Database, Version – 2.0

Product- SAP HANA Extended Application Services Advanced (XS Advanced), Version – 1.0

High 

7.5  

3414195

[CVE-2023-50164] Path Traversal Vulnerability in SAP BusinessObjects Business Intelligence Platform (Central Management Console)
Product - SAP BusinessObjects Business Intelligence Platform (Central Management Console), Versions - 4.3
 

High

7.2

3377979

[CVE-2024-27902] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP, applications based on SAPGUI for HTML (WebGUI)
Product – SAP NetWeaver AS ABAP applications based on SAPGUI for HTML (WebGUI), Versions – 7.89, 7.93

Medium 

5.4

3425682

[CVE-2024-25644] Information Disclosure vulnerability in SAP NetWeaver (WSRM)
Product - NetWeaver (WSRM), Versions – 7.50

Medium 

5.3

3428847

[CVE-2024-25645] Information Disclosure vulnerability in SAP NetWeaver (Enterprise Portal) 
Product - SAP NetWeaver (Enterprise Portal), Version – 7.50

Medium   

5.3

3434192

[CVE-2024-28163] Information Disclosure vulnerability in SAP NetWeaver Process Integration (Support Web Pages)
Product - SAP NetWeaver Process Integration (Support Web Pages), Versions – 7.50

Medium

5.3

3417399

[CVE-2024-22133] Improper Access Control in SAP Fiori Front End Server
Product – SAP Fiori Front End Server, Version – 605

Medium 

4.6

 3419022  

[CVE-2024-27900] Missing Authorization check in SAP ABAP Platform
Product - SAP ABAP Platform, Versions – 758, 795

 Medium  

4.3  

SAP Security Patch Day – April 2024

This post shares information on Security Notes that remediates vulnerabilities discovered in SAP products. SAP strongly recommends that the customer applies patches on priority to protect their SAP landscape.

On 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. Further, there were 2 updates to previously released Security Notes.

Note#TitleSeverityCVSS
3434839

[CVE-2024-27899] Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine

Product - SAP NetWeaver AS Java User Management Engine, Versions - SERVERCORE 7.50, J2EE-APPS 7.50, UMEADMIN 7.50

High8.8
3421384

[CVE-2024-25646] Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence

Product - SAP BusinessObjects Web Intelligence, Versions - 4.2, 4.3

High7.7
3438234

[CVE-2024-27901] Directory Traversal vulnerability in SAP Asset Accounting

Product- SAP Asset Accounting, Versions - SAP_APPL 600, SAP_APPL 600, SAP_APPL 600, SAP_APPL 600, SAP_APPL 600, SAP_APPL 600, SAP_FIN617, SAP_FIN 618, SAP_FIN700

High7.2
3442741

Stack overflow vulnerability on the component images of SAP Integration Suite (EDGE INTEGRATION CELL)

Product - SAP Edge Integration Cell, Versions older than 8.13.5

Medium6.8
3359778

[CVE-2024-30218] Denial of service (DOS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform

Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - KRNL64NUC 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.93

Medium6.5
3442378

[CVE-2024-28167] Missing Authorization check in SAP Group Reporting Data Collection (Enter Package Data)

Product - SAP Group Reporting Data Collection (Enter Package Data), Versions - S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, SAP_GRDC_CLOUD 1.0.0

Medium6.5
3164677

Update to Security Note released on May 2022 Patch Day:

[CVE-2022-29613] Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request) 
Product - SAP Employee Self Service (Fiori My Leave Request), Version - 605

Medium6.5
3156972

Update to Security Note released on August 2023 Patch Day:

[CVE-2023-40306] URL Redirection vulnerability in SAP S/4HANA (Manage Catalog Items and Cross-Catalog search) 
Product - SAP S/4HANA (Manage Catalog Items and Cross-Catalog search), Versions – S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106

Medium6.1
3425188

[CVE-2024-27898] Server-Side Request Forgery in SAP NetWeaver (tc~esi~esp~grmg~wshealthcheck~ear) 

Product - SAP NetWeaver, Version - 7.50

Medium5.3
3421453

[Multiple CVEs] Cross-Site Scripting (XSS) vulnerabilities in SAP Business Connector

CVEs - CVE-2024-30214, CVE-2024-30215 
Product - SAP Business Connector, Version - 4.8

Medium4.8
3427178

[CVE-2024-30216] Missing Authorization check in SAP S/4 HANA (Cash Management) 

Product – SAP S/4 HANA (Cash Management), Versions – S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108

Medium4.3
3430173

[CVE-2024-30217] Missing Authorization check in SAP S/4 HANA (Cash Management) 

Product - SAP S/4 HANA (Cash Management), Versions – S4CORE 106, S4CORE 107, S4CORE 108

Medium4.3

SAP Security Patch Day – May 2024

This post shares information on Security Notes that remediates vulnerabilities discovered in SAP products. SAP strongly recommends that the customer applies patches on priority to protect their SAP landscape.

On 14th of May 2024, SAP Security Patch Day saw the release of 14 new Security Notes. Further, there were 3 updates to previously released Security Notes.

Note#TitleSeverityCVSS

2622660

Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Versions - 6.5, 7.0, 7.70

Hot News

10.0

3455438

[CVE-2019-17495] Multiple vulnerabilities in SAP CX Commerce

Related CVE - CVE-2022-36364
Product- SAP Commerce, Version - HY_COM 2205

Hot News

9.8

3448171

[CVE-2024-33006] File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
Product- SAP NetWeaver Application Server ABAP and ABAP Platform, Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS  702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Hot News

9.6

3431794

[CVE-2024-28165] Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform
Product- SAP BusinessObjects (Business Intelligence Platform), Versions – 430, 440

High 

8.1

3441944

[CVE-2024-32730] Missing authorization check in SAP Enable Now Manager
Product- SAP Enable Now, Version - 1704

Medium

6.5

3448445

[CVE-2024-34687] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application server for ABAP and ABAP Platform
Product- SAP NetWeaver Application server for ABAP and ABAP Platform, Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 795, SAP_BASIS 796

Medium

6.5

3450286

[CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
Product- SAP NetWeaver Application Server ABAP and ABAP Platform, Versions - SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 

Medium 

6.1

3460772

[CVE-2024-33002] Cross-Site Scripting (XSS) Vulnerability in SAP S/4HANA (Document Service Handler for DPS)
Product - SAP S/4HANA (Document Service Handler for DPS), Versions – SAP_BASIS 740, SAP_BASIS 750

Medium

6.1

3447467  

[CVE-2024-32731] Missing Authorization check in SAP My Travel Requests
Product- My Travel Requests, Version – 600

Medium 

5.5  

2745860

Update to Security Note released on May 2021 Patch Day:

Information Disclosure in Enterprise Services Repository of SAP Process Integration
Product - SAP Process Integration, Versions - MESSAGING 7.31, MESSAGING 7.40, MESSAGING 7.50, NWCEIDE 7.31, SAP_XIESR 7.31, SAP_XIESR 7.40, SAP_XIESR 7.50, SAP_XITOOL 7.31, SAP_XITOOL 7.40, SAP_XITOOL 7.50, SAP_XIAF 7.31, SAP_XIAF 7.40, SAP_XIAF 7.50, SAP_XIGUILIB 7.31, SAP_XIGUILIB 7.40, SAP_XIGUILIB 7.50

Medium

5.3

3349468

[CVE-2024-33008] Memory Corruption vulnerability in SAP Replication Server
Product – SAP Replication Server, Versions – 16.0, 16.0.3, 16.0.4

Medium

4.9

3434666

[Multiple CVEs] Missing Authorization Checks in SAP S/4 HANA (Manage Bank Statement Reprocessing Rules)

CVEs - CVE-2024-4139, CVE-2024-4138
Product – SAP S/4 HANA (Manage Bank Statement Reprocessing Rules), Versions – SAPSCORE 131, S4CORE 105, S4CORE 106, S4CORE107, S4CORE 108

Medium

4.3

3449093

[CVE-2024-33004] Insecure Storage vulnerability in SAP BusinessObjects Business Intelligence Platform (Webservices)
Product – SAP BusinessObjects Business Intelligence Platform (Webservices), Versions – 430, 440

Medium

4.3

2174651

Update to Security Note released on December 2017 Patch Day:
Potential information disclosure relating to PI Integration Directory
Product - SAP Process Integration, Versions - MESSAGING 7.10, MESSAGING 7.11, MESSAGING 7.30, MESSAGING 7.31, MESSAGING 7.40, MESSAGING 7.50, NWCEIDE 7.31, SAP_XITOOL 7.00, SAP_XITOOL 7.01, SAP_XITOOL 7.02, SAP_XITOOL 7.10, SAP_XITOOL 7.11, SAP_XITOOL 7.30, SAP_XITOOL 7.31, SAP_XITOOL 7.40, SAP_XITOOL 7.50, SAP_XIAF 7.31, SAP_XIAF 7.40, SAP_XIAF 7.50, SAP_XIPCK 7.00, SAP_XIPCK 7.01, SAP_XIPCK 7.02, SAP_XIPCK 7.10, SAP_XIPCK 7.11, SAP_XIPCK 7.30

Medium

4.3

1938764

[CVE-2024-33009] SQL injection vulnerability in SAP Global Label Management (GLM)
Product – SAP Global Label Management (GLM), Versions – 605, 606, 616, 617

Medium

4.2

3392049

[CVE-2024-33000] Missing Authorization check in SAP Bank Account Management
Product – SAP Bank Account Management, Versions – 100, 101, 102, 103, 104, 105, 106, 107, 108

Low 

3.5

3446076

[CVE-2024-33007] Client-side script execution vulnerability in SAP UI5(PDFViewer)
Product - SAPUI5, Versions – 754, 755, 756, 757, 758

Low 

3.5

SAP Security Patch Day – June 2024

This post shares information on Security Notes that remediates vulnerabilities discovered in SAP products. SAP strongly recommends that the customer applies patches on priority to protect their SAP landscape.

On 11th of June 2024, SAP Security Patch Day saw the release of 10 new Security Notes. Further, there were 3 updates to previously released Security Notes.

Note#TitleSeverityCVSS

3457592

[CVE-2024-37177] Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation
Additional CVE - CVE-2024-37178

Product - SAP Financial Consolidation, Version - FINANCE 1010

High

8.1

3460407

[CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository)

Product - SAP NetWeaver AS Java, Version - MMR_SERVER 7.5

High

7.5

3453170

[CVE-2024-33001] Denial of service (DOS) in SAP NetWeaver and ABAP platform

Product- SAP NetWeaver and ABAP platform, Versions - ST-PI 2008_1_700, 2008_1_710, 740

Medium

6.5

3459379

[CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service)

Product- SAP Document Builder, Versions - S4CORE 100, 101, S4FND 102, 103, 104, 105, 106, 107, 108, SAP_BS_FND 702, 731, 746, 747, 748

Medium

6.5

3466175

[CVE-2024-34691] Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files)

Product- SAP S/4HANA (Manage Incoming Payment Files), Versions – S4CORE 102, 103, 104, 105, 106, 107, 108

Medium 

6.5

3465129

[CVE-2024-34686] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)

Product- SAP CRM WebClient UI, Versions – S4FND 102, 103, 104, 105, 106, 107, WEBCUIF 700, 701, 730, 731, 746, 747, 748, 800, 801

Medium 

6.1

3450286

Update to Security Note released on May 2024 Patch Day:

[CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform

Product- SAP NetWeaver Application Server ABAP and ABAP Platform, Versions - SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 795, SAP_BASIS 796

Medium 

6.1

3465455

[CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP
Product - SAP BW/4HANA Transformation and Data Transfer Process, Versions – DW4CORE 200, 300, 400, 796, SAP_BW 740, 750, 751, 752, 753, 754, 755, 756, 757, 758

Medium

5.5

3457265  

[CVE-2024-34690] Missing Authorization check in SAP Student Life Cycle Management (SLcM)
Product- SAP Student Life Cycle Management, Versions – IS-PS-CA 617, 618, 802, 803, 804, 805, 806, 807, 808

Medium 

5.4  

3425571

[CVE-2024-28164] Information Disclosure vulnerability in SAP NetWeaver AS Java (Guided Procedures)
Product – SAP NetWeaver AS Java, Version – GP-CORE 7.5

Medium

5.3

2638217

Update to Security Note released on June 2018 Patch Day:

Switchable Authorization Checks in Central Finance Infrastructure Components
Product - Central Finance Infrastructure Components, Versions - SAP_FIN 720, 730, SAPSCORE 114, S4CORE 100, 101, 102

Low

3.9

3441817

[CVE-2024-34684] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling)
Product – SAP BusinessObjects Business Intelligence Platform, Versions – ENTERPRISE 420, 430, 440

Low

3.7

3392049

Update to Security Note released on May 2024 Patch Day:

[CVE-2024-33000] Missing Authorization check in SAP Bank Account Management
Product – SAP Bank Account Management, Versions – 100, 101, 102, 103, 104, 105, 106, 107, 108

Low

3.5

SAP Security Patch Day – July 2024

This post shares information on Security Notes that remediates vulnerabilities discovered in SAP products. SAP strongly recommends that the customer applies patches on priority to protect their SAP landscape.

On 9th of July 2024, SAP Security Patch Day saw the release of 16 new Security Notes. Further, there were 2 updates to previously released Security Notes.

Note#

Title

Priority

CVSS

3483344

[CVE-2024-39592] Missing Authorization check in PDCE
Product - SAP PDCE, Version – S4CORE 102, 103, S4COREOP 104, 105, 106, 107, 108

High

7.7

3490515

[CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce
Product - SAP Commerce, Version – HY_COM 2205, COM_CLOUD 2211

High

7.2

3466801

[CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management

Product- SAP Landscape Management, Version - VCM 3.00

Medium

6.9

3459379

Update to Security Note released on June 2024 Patch Day:

[CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service)

Product- SAP Document Builder, Versions - S4CORE 100, 101, S4FND 102, 103, 104, 105, 106, 107, 108, SAP_BS_FND 702, 731, 746, 747, 748

Medium

6.5

3468681

[CVE-2024-34685] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLEditor

Product- SAP NetWeaver Knowledge Management XMLEditor, Version – KMC-WPC 7.50

Medium 

6.1

3467377

[Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI)

CVEs - CVE-2024-37173, CVE-2024-37174, CVE-2024-39598,

CVE-2024-37175

Product- SAP CRM WebClient UI, Versions – S4FND 102, 103, 104, 105, 106, 107, 108, WEBCUIF 701, 731, 746, 747, 748, 800, 801

Medium 

6.1

3482217

[CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse - Business Planning and Simulation

Additional CVE - CVE-2024-39595

Product- SAP Business Warehouse - Business Planning and Simulation, Versions - SAP_BW 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, SAP_BW_VIRTUAL_COMP 701

Medium 

6.1

3457354

[CVE-2024-37172] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management)
Product - SAP S/4HANA Finance (Advanced Payment Management), Versions – S4CORE 107, 108

Medium

5.4

3458789  

[CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services)
Product- SAP Business Workflow (WebFlow Services), Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium 

5.0  

3483993  

[CVE-2024-34689] Prerequisite for Security Note 3458789
Product- SAP Business Workflow (WebFlow Services), Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium 

5.0  

3485805  

[CVE-2024-34689] Allowlisting of callback-URLs in SAP Business Workflow (WebFlow Services)
Product- SAP Business Workflow (WebFlow Services), Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium 

5.0  

3461110

[CVE-2024-39600] Information Disclosure vulnerability in SAP GUI for Windows
Product – SAP GUI for Windows, Version – BC-FES-GUI 8

Medium

5.0

3469958

[CVE-2024-37171] Server-Side Request Forgery (SSRF) in SAP Transportation Management (Collaboration Portal)
Product – SAP Transportation Management (Collaboration Portal), Versions – SAPTMUI 140, 150, 160, 170

Medium

5.0

3456952

[CVE-2024-39599] Protection Mechanism Failure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
Product – SAP NetWeaver Application Server for ABAP and ABAP Platform, Version – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 795, SAP_BASIS 796

Medium

4.7

3476348

[CVE-2024-39596] Missing Authorization check vulnerability in SAP Enable Now
Product – SAP Enable Now, Versions – WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704

Medium

4.3

3454858

[CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
Product – SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium

4.1

3101986

Update to Security Note released on April 2022 Patch Day:

Enable CSP support for OP1909 in SAP CRM WebClient UI
Product – SAP CRM WebClient UI, Versions – S4FND 104

Medium

4.1

3476340

[CVE-2024-34692] Unrestricted File upload vulnerability in SAP Enable Now
Product – SAP Enable Now, Versions – WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704

Low

3.3

SAP Security Patch Day – August 2024

This post shares information on Security Notes that remediates vulnerabilities discovered in SAP products. SAP strongly recommends that the customer applies patches on priority to protect their SAP landscape.

On 13th of August 2024, SAP Security Patch Day saw the release of 17 new Security Notes. Further, there were 8 updates to previously released Security Notes.

Note#
Title

Priority 

CVSS  

3479478

[CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform 
Product - SAP BusinessObjects Business Intelligence Platform, Version – ENTERPRISE 430, 440

Hot News

9.8

3477196

[CVE-2024-29415] Server-Side Request Forgery vulnerability in applications built with SAP Build Apps 
Product - SAP Build Apps, Versions < 4.11.130

Hot News

9.1

3485284

[CVE-2024-42374] XML injection in SAP BEx Web Java Runtime Export Web Service 

Product- SAP BEx Web Java Runtime Export Web Service, Versions - BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, BIWEBAPP 7.5

High

8.2

3423268

[CVE-2023-30533] Prototype Pollution in SAP S/4 HANA (Manage Supply Protection) 

Product- SAP S/4 HANA, Library Versions - SheetJS CE < 0.19.3

High

7.8

3460407

Update to Security Note released on June 2024 Patch Day:

[CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository)

Product- SAP NetWeaver AS Java, Version – MMR_SERVER 7.5

High 

7.5

3459935

[CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud  

Product- SAP Commerce Cloud, Versions – HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, COM_CLOUD 2211

High 

7.4

3466801

Update to Security Note released on July 2024 Patch Day:  

[CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management

Product- SAP Landscape Management, Version - VCM 3.00

Medium 

6.9  

3495876

[Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS)

CVEs - CVE-2023-0215, CVE-2022-0778 , CVE-2023-0286

Product- SAP Replication Server, Versions – 16.0.3, 16.0.4 

Medium 

6.5

3459379

Update to Security Note released on June 2024 Patch Day:

[CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) 
Product - SAP Document Builder, Versions – S4CORE 100, 101, S4FND 102, 103, 104, 105, 106, 107, 108, SAP_BS_FND 702, 731, 746, 747, 748

Medium

6.5

3474590[CVE-2024-42376] Multiple Missing Authorization Check vulnerabilities in SAP Shared Service Framework 

Additional CVE - CVE-2024-42377

Product- SAP Shared Service Framework, Versions – SAP_BS_FND 702, 731, 746, 747, 748

Medium 

6.5  

3438085[CVE-2024-33005] Missing Authorization check in SAP NetWeaver Application Server (ABAP and Java), SAP Web Dispatcher and SAP Content Server 
Product- SAP NetWeaver Application Server (ABAP and Java), SAP Web Dispatcher and SAP Content Server, Versions – KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, WEBDISP 7.53, 7.77, 7.85, 7.22_EXT, 7.89, 7.54, 7.93, KERNEL 7.22, 7.53, 7.77, 7.85, 7.89, 7.54, 7.93

Medium 

6.3  

3482217

Update to Security Note released on July 2024 Patch Day:

[CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse - Business Planning and Simulation 
Product- SAP Business Warehouse - Business Planning and Simulation, Versions – SAP_BW 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, SAP_BW_VIRTUAL_COMP 701

Medium 

6.1  

3465455

Update to Security Note released on June 2024 Patch Day:

[CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP 
Product- SAP BW/4HANA Transformation and Data Transfer Process, Versions – DW4CORE 200, 300, 400, 796, SAP_BW 740, 750, 751, 752, 753, 754, 755, 756, 757, 758

Medium 

5.5  

3483256

[CVE-2024-41735] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice 
Product – SAP Commerce Backoffice, Version – HY_COM 2205

Medium

5.4

3471450

[CVE-2024-41733] Information Disclosure Vulnerability in SAP Commerce 
Product – SAP Commerce, Versions – HY_COM 2205, COM_CLOUD 2211

Medium

5.3

3487537[CVE-2024-41737] Server-Side Request Forgery (SSRF) in SAP CRM ABAP (Insights Management) 
Product – SAP CRM ABAP (Insights Management), Versions – BBPCRM 700, 701, 702, 712, 713, 714

Medium

5.0

3458789

Update to Security Note released on July 2024 Patch Day:

[CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services)  
Product- SAP Business Workflow (WebFlow Services), Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium

5.0

3468102[CVE-2024-41732] Improper Access Control in SAP Netweaver Application Server ABAP 
Product – SAP NetWeaver Application Server ABAP, Versions – SAP_UI 754, 755, 756, 757, 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 912		Medium

4.7

3150704

Update to Security Note released on January 2023 Patch Day:

[CVE-2023-0023] Information Disclosure in SAP Bank Account Management (Manage Banks) 
Product – SAP Bank Account Management (Manage Banks), Versions – 800, 900

Medium

4.5

3433545

[CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform

Additional CVE - CVE-2024-28166, CVE-2024-41731

Product – SAP BusinessObjects Business Intelligence Platform, Versions – ENTERPRISE 420, 430, 440

Medium 

4.3

3475427[CVE-2024-41736] Information Disclosure vulnerability in SAP Permit to Work 
Product – SAP Permit to Work, Versions – UIS4HOP1 800, 900

Medium

4.3

3477423

[CVE-2024-39591] Missing Authorization check in SAP Document Builder 
Product – SAP Document Builder, Versions – S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, SAP_BS_FND 702, SAP_BS_FND 731, SAP_BS_FND 746, SAP_BS_FND 747, SAP_BS_FND 748

Medium

4.3

3479293

[CVE-2024-42373] Missing Authorization Check in SAP Student Life Cycle Management (SLcM) 
Product – SAP Student Life Cycle Management (SLcM), Versions – IS-PS-CA 617, 618, 802, 803, 804, 805, 806, 807, 808

Medium

4.3

3494349

[CVE-2024-41734] Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform 
Product – SAP NetWeaver Application Server ABAP and ABAP Platform, Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 912

Medium

4.3

3454858

Update to Security Note released on July 2024 Patch Day:

[CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform 
Product- SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium

4.1

SAP Security Patch Day – September 2024

This post shares information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 10th of September 2024, SAP Security Patch Day saw the release of 16 new Security Notes. Further, there were 3 updates to previously released Security Notes.

Note#TitlePriorityCVSS
3479478

Update to Security Note released on August 2024 Patch Day:  

[CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform
Product - SAP BusinessObjects Business Intelligence Platform, Versions - ENTERPRISE 430, 440

Hot News9.8
3459935

Update to Security Note released on August 2024 Patch Day:

[CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud  

Product - SAP Commerce Cloud, Versions - HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, COM_CLOUD 2211

High7.4
3495876

Update to Security Note released on August 2024 Patch Day:

[Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS)  

CVEs - CVE-2023-0215, CVE-2022-0778 , CVE-2023-0286

Product - SAP Replication Server, Versions - 16.0.3, 16.0.4

Medium6.5
3488341[CVE-2024-45286] Missing Authorization check in SAP Production and Revenue Accounting (Tobin interface)
Product - SAP Production and Revenue Accounting (Tobin interface), Versions - S4CEXT 106, S4CEXT 107, S4CEXT 108, IS-PRA 605, IS-PRA 606, IS-PRA 616, IS-PRA 617, IS-PRA 618, IS-PRA 800, IS-PRA 801, IS-PRA 802, IS-PRA 803, IS-PRA 804, IS-PRA 805		Medium6.5
3497347[CVE-2024-42378] Cross-Site Scripting (XSS) in eProcurement on S/4HANA 
Product  - SAP S/4HANA eProcurement, Versions - SAP_APPL 606, SAP_APPL 617, SAP_APPL 618, S4CORE 102, S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108		Medium6.1
3501359[CVE-2024-45279] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP(CRM Blueprint Application Builder Panel) 
Product - SAP NetWeaver Application Server for ABAP (CRM Blueprint Application Builder Panel), Versions – 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, 75I		Medium6.1
3477359[CVE-2024-45283] Information disclosure vulnerability in SAP NetWeaver AS for Java (Destination Service) 
Product - SAP NetWeaver AS for Java (Destination Service), Versions - 7.50		Medium6.0
3430336[CVE-2013-3587] Information Disclosure vulnerability in SAP Commerce Cloud 
Product - SAP Commerce Cloud, Version - COM_CLOUD 2211		Medium5.9
3425287[CVE-2024-45281] DLL hijacking vulnerability in SAP BusinessObjects Business Intelligence Platform 
Product - SAP BusinessObjects Business Intelligence Platform, Version - 430		Medium5.8
3488039

[Multiple CVEs] Multiple vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform

CVEs - CVE-2024-42371, CVE-2024-44117, CVE-2024-45285, CVE-2024-42380, CVE-2024-44115, CVE-2024-44116

Product - SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 912

Medium5.4
3505503[CVE-2024-45280] Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver AS Java (Logon Application)
Product - SAP NetWeaver AS Java (Logon Application), Version - 7.50		Medium4.8
3498221

[CVE-2024-44120] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal

Product - SAP NetWeaver Enterprise Portal, Version - 7.50

Medium4.7   
3481992

[CVE-2024-44113] Information Disclosure vulnerability in the SAP Business Warehouse (BEx Analyzer)  

Product - SAP Business Warehouse (BEx Analyzer), Versions - DW4CORE 200, DW4CORE 300, DW4CORE 400, SAP_BW 700, SAP_BW 701, SAP_BW 702, SAP_BW 731, SAP_BW 740, SAP_BW 750, SAP_BW 751, SAP_BW 752, SAP_BW 753, SAP_BW 754, SAP_BW 755, SAP_BW 756, SAP_BW 757, SAP_BW 758

Medium4.3
3481588

[CVE-2024-41729] Information Disclosure vulnerability in the SAP NetWeaver BW (BEx Analyzer)

Product - SAP NetWeaver BW (BEx Analyzer), Versions - DW4CORE 200, DW4CORE 300, DW4CORE 400, SAP_BW 700, SAP_BW 701, SAP_BW 702, SAP_BW 731, SAP_BW 740, SAP_BW 750, SAP_BW 751, SAP_BW 752, SAP_BW 753, SAP_BW 754, SAP_BW 755, SAP_BW 756, SAP_BW 757, SAP_BW 758

Medium4.3
3437585

[CVE-2024-44121] Information Disclosure in SAP S/4 HANA (Statutory Reports)

Product - SAP S/4 HANA, Version – 900

Medium  4.3
3505293    [CVE-2024-44112] Missing Authorization check in SAP for Oil & Gas (Transportation and Distribution) 
Product - SAP for Oil & Gas, Versions – 600, 602, 603, 604, 605, 606, 617, 618, 800, 802, 803, 804, 805, 806, 807, 807		Medium4.3
2256627[CVE-2024-45284] Missing authorization check in SAP Student Life Cycle Management (SLcM) 
Product - SAP Student Life Cycle Management (SLcM), Versions – 617, 618, 800, 802, 803, 804, 805, 806, 807, 808		Low2.7
3496410[CVE-2024-41728] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform 
Product - SAP NetWeaver Application Server for ABAP and ABAP Platform, Version – 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 912		Low2.7
3507252[CVE-2024-44114] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform 
Product - SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 912		Low2.0

SAP Security Patch Day – October 2024

This post shares information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 8th of October 2024, SAP Security Patch Day saw the release of 6 new Security Notes. Further, there were 7 updates to previously released Security Notes.

Note#TitlePriorityCVSS 
3479478

Update to Security Note released on August 2024 Patch Day:
[CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform

Product - SAP BusinessObjects Business Intelligence Platform, Versions - ENTERPRISE 420, 430, 440

Critical9.8
3523541[CVE-2022-23302] Multiple vulnerabilities in SAP Enterprise Project Connection
Related CVEs - CVE-2024-22259, CVE-2024-38809, CVE-2024-38808 
Product - SAP Enterprise Project Connection, Version - 3.0		High8.0
3478615[CVE-2024-37179] Insecure File Operations vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)
Product - SAP BusinessObjects Business Intelligence Platform (Web Intelligence), Version - ENTERPRISE 420, 430, 2025, ENTERPRISECLIENTTOOLS 420, 430, 2025		High7.7
3483344Update to Security Note released on July 2024 Patch Day:
[CVE-2024-39592] Missing Authorization check in SAP PDCE
Product- SAP PDCE, Versions - S4CORE 102, 103, S4COREOP 104, 105, 106, 107, 108		High7.7
3495876Update to Security Note released on August 2024 Patch Day:
[Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS)
CVEs - CVE-2023-0215, CVE-2022-0778 , CVE-2023-0286
Product- SAP Replication Server, Versions – 16.0.3, 16.0.4		Medium6.5
3477359Update to Security Note released on September 2024 Patch Day
[CVE-2024-45283] Information disclosure vulnerability in SAP NetWeaver AS for Java (Destination Service)
Product - SAP NetWeaver AS for Java (Destination Service), 
Versions - 7.50		Medium6.0
3507545[CVE-2024-45278] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice
Product - SAP Commerce Backoffice, Versions - HY_COM 2205, COM_CLOUD 2211		Medium5.4
3503462[CVE-2024-47594] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (KMC)
Product - SAP NetWeaver Enterprise Portal (KMC), Version - KMC-BC 7.5		Medium5.4
3520100[CVE-2024-45277] Prototype Pollution vulnerability in SAP HANA Client 
Product - SAP HANA Client, Version - HDB_CLIENT 2.0
Medium4.3
3251893[CVE-2024-45282] HTTP Verb Tampering in SAP S/4 HANA(Manage Bank Statements) 
Product - SAP S/4 HANA (Manage Bank Statements), Versions – S4CORE, 102, 103, 104, 105, 106, 107		Medium4.3
3481588Update to Security Note released on September 2024 Patch Day:
[CVE-2024-41729] Information Disclosure vulnerability in the SAP NetWeaver BW (BEx Analyzer)
Product- SAP NetWeaver BW (BEx Analyzer), Versions – DW4CORE 200, DW4CORE 300, DW4CORE 400, SAP_BW 700, SAP_BW 701, SAP_BW 702, SAP_BW 731, SAP_BW 740, SAP_BW 750, SAP_BW 751, SAP_BW 752, SAP_BW 753, SAP_BW 754, SAP_BW 755, SAP_BW 756, SAP_BW 757, SAP_BW 758		Medium4.3
3479293Update to Security Note released on August 2024 Patch Day:
[CVE-2024-42373] Missing Authorization Check in SAP Student Life Cycle Management (SLcM) 
Product - SAP Student Life Cycle Management (SLcM), Versions – IS-PS-CA 617, 618, 802, 803, 804, 805, 806, 807, 808		Medium4.3
3454858Update to Security Note released on July 2024 Patch Day:
[CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform 
Product - SAP NetWeaver Application Server for ABAP and ABAP Platform, 
Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758		Medium4.1

SAP Security Patch Day – November 2024

This post shares information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 12th of November 2024, SAP Security Patch Day saw the release of 8 new Security Notes. Further, there were 2 updates to previously released Security Notes.

 

Note#

Title

Priority

CVSS

3520281

[CVE-2024-47590] Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher

Product- SAP Web Dispatcher, Versions – WEBDISP 7.77, 7.89, 7.93, KERNEL 7.77, 7.89, 7.93, 9.12, 9.13

High

8.8

3483344

Update to Security Note released on July 2024 Patch Day:

[CVE-2024-39592] Missing Authorization check in SAP PDCE

Product – SAP PDCE, Version – S4CORE 102, 103, S4COREOP 104, 105, 106, 107, 108

High

7.7

3335394

[CVE-2024-42372] Missing Authorization check in SAP NetWeaver AS Java (System Landscape Directory)

Product- SAP NetWeaver AS Java (System Landscape Directory), Versions – LM-SLD 7.5

Medium

6.5

3509619

[CVE-2024-47595] Local Privilege Escalation in SAP Host Agent
Product - SAP Host Agent, Version – SAPHOSTAGENT 7.22

Medium

6.3

3393899

[CVE-2024-47592] Information Disclosure Vulnerability in SAP NetWeaver Application Server Java (Logon Application)

Product- SAP NetWeaver Application Server Java (Logon Application), Versions – SERVERCORE 7.5

Medium

5.3

3504390

[CVE-2024-47586] NULL Pointer Dereference vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform

Product- SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 8.04, 9.12, 9.13

Medium

5.3

3522953

[CVE-2024-47588] Information Disclosure vulnerability in SAP NetWeaver Java (Software Update Manager)
Product - SAP NetWeaver Java (Software Update Manager),
Versions - SUM 1.1

Medium

4.7

3508947

[CVE-2024-47593] Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
Product - SAP NetWeaver Application Server ABAP, Versions – KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12

Medium

4.3

3498470

[CVE-2024-47587] Missing authorization check in SAP Cash Management (Cash Operations)
Product - SAP Cash Management (Cash Operations), Version - S4CORE 103, 104, 105, 106, 107, 108

Low

3.5

3392049

Update to Security Note released on May 2024 Patch Day:

[CVE-2024-33000] Missing Authorization check in SAP Bank Account Management
Product - SAP Bank Account Management, Version - 100, 101, 102, 103, 104, 105, 106, 107, 108

Low

3.5

SAP Security Patch Day – December 2024

This post shares information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 10th of December 2024, SAP Security Patch Day saw the release of 10 new Security Notes. Further, there were 3 updates to previously released Security Notes.

 

Note#

Title

Priority

CVSS

3536965

[CVE-2024-47578] Multiple vulnerabilities in SAP NetWeaver AS for JAVA (Adobe Document Services)

Additional CVE - CVE-2024-47579, CVE-2024-47580

Product- SAP NetWeaver AS for JAVA (Adobe Document Services), Versions – ADSSSAP 7.50

Hot News

9.1

3520281

Update to Security Note released on November 2024 Patch Day:

[CVE-2024-47590] Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher

Product- SAP Web Dispatcher, Versions – WEBDISP 7.77, 7.89, 7.93, KERNEL 7.77, 7.89, 7.93, 9.12, 9.13

High

8.8

3469791

[CVE-2024-54198] Information Disclosure vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP

Product – SAP NetWeaver Application Server ABAP, Version – KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93

High

8.5

3504390

Update to Security Note released on November 2024 Patch Day:

[CVE-2024-47586] NULL Pointer Dereference vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform

Product- SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 8.04, 9.12, 9.13

High

7.5

3542543

[CVE-2024-54197] Server-Side Request Forgery in SAP NetWeaver Administrator (System Overview)

Product- SAP NetWeaver Administrator (System Overview), Version – LM-CORE 7.50

High

7.2

3351041

[CVE-2024-47582] XML Entity Expansion Vulnerability in SAP NetWeaver AS JAVA
Product - SAP NetWeaver AS JAVA, Version – LM-CORE 7.50

Medium

5.3

3524933

[CVE-2024-32732] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform

Product- SAP BusinessObjects Business Intelligence platform, Versions – ENTERPRISE 430, 2025

Medium

5.3

3536361

[CVE-2024-47585] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform

Product- SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – SAP_BASIS 740, SAP_BASIS 750

Medium

4.3

3515653

Update 1 to Security Note 3433545: [CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform

Additional CVE - CVE-2024-28166, CVE-2024-41731

Product- SAP BusinessObjects Business Intelligence Platform, Versions – ENTERPRISE 430, 2025

Medium

4.3

3433545

Update to Security Note released on August 2024 Patch Day:

[CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform

Additional CVE - CVE-2024-28166, CVE-2024-41731

Product- SAP BusinessObjects Business Intelligence Platform, Versions – ENTERPRISE 430, 2025

Medium

4.3

3522332

[CVE-2024-47581] Missing Authorization check in SAP HCM (Approve Timesheets version 4)

Product- SAP HCM, Version – S4HCMGXX 101

Medium

4.3

3504847

[CVE-2024-47576] DLL Hijacking vulnerability in SAP Product Lifecycle Costing
Product - SAP Product Lifecycle Costing, Version - PLC_CLIENT 4

Low

3.3

3535451

[CVE-2024-47577] Information Disclosure vulnerability in SAP Commerce Cloud
Product - SAP Commerce Cloud, Versions - HY_COM 2205, COM_CLOUD 2211

Low

2.7

To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.

Archived blogs from previous years are available here.

If you have any comments or feedback about this post, you can write to secure@sap.com.

SAP is committed to deliver trustworthy products and cloud services. Secure configuration is essential to ensure secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.