-
Non-Product Related Assistance
Request for existing cases, user IDs, Portal navigation support and more
SAP Security Patch Day – June 2024
This post shares information on Security Notes that remediates vulnerabilities discovered in SAP products. SAP strongly recommends that the customer applies patches on priority to protect their SAP landscape.
On 11th of June 2024, SAP Security Patch Day saw the release of 10 new Security Notes. Further, there were 3 updates to previously released Security Notes.
| Note# | Title | Severity | CVSS |
|---|---|---|---|
[CVE-2024-37177] Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation Product - SAP Financial Consolidation, Version - FINANCE 1010 | High | ||
[CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) | High | ||
[CVE-2024-33001] Denial of service (DOS) in SAP NetWeaver and ABAP platform Product- SAP NetWeaver and ABAP platform, Versions - ST-PI 2008_1_700, 2008_1_710, 740 | Medium | ||
[CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) Product- SAP Document Builder, Versions - S4CORE 100, 101, S4FND 102, 103, 104, 105, 106, 107, 108, SAP_BS_FND 702, 731, 746, 747, 748 | Medium | ||
[CVE-2024-34691] Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files) Product- SAP S/4HANA (Manage Incoming Payment Files), Versions – S4CORE 102, 103, 104, 105, 106, 107, 108 | Medium | ||
[CVE-2024-34686] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) Product- SAP CRM WebClient UI, Versions – S4FND 102, 103, 104, 105, 106, 107, WEBCUIF 700, 701, 730, 731, 746, 747, 748, 800, 801 | Medium | ||
Update to Security Note released on May 2024 Patch Day: [CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Product- SAP NetWeaver Application Server ABAP and ABAP Platform, Versions - SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 795, SAP_BASIS 796 | Medium | ||
[CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP | Medium | ||
[CVE-2024-34690] Missing Authorization check in SAP Student Life Cycle Management (SLcM) | Medium | ||
[CVE-2024-28164] Information Disclosure vulnerability in SAP NetWeaver AS Java (Guided Procedures) | Medium | ||
Update to Security Note released on June 2018 Patch Day: Switchable Authorization Checks in Central Finance Infrastructure Components | Low | ||
[CVE-2024-34684] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling) | Low | ||
Update to Security Note released on May 2024 Patch Day: [CVE-2024-33000] Missing Authorization check in SAP Bank Account Management | Low |
To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.
SAP is committed to deliver trustworthy products and cloud services. Secure configuration is essential to ensure secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.