SAP Security Patch Day – May 2024

This post shares information on Security Notes that remediates vulnerabilities discovered in SAP products. SAP strongly recommends that the customer applies patches on priority to protect their SAP landscape.

On 14th of May 2024, SAP Security Patch Day saw the release of 14 new Security Notes. Further, there were 3 updates to previously released Security Notes.

Note#	Title	Severity	CVSS
2622660	Update to Security Note released on April 2018 Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client Product - SAP Business Client, Versions - 6.5, 7.0, 7.70	Hot News	10.0
3455438	[CVE-2019-17495] Multiple vulnerabilities in SAP CX Commerce Related CVE - CVE-2022-36364 Product- SAP Commerce, Version - HY_COM 2205	Hot News	9.8
3448171	[CVE-2024-33006] File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Product- SAP NetWeaver Application Server ABAP and ABAP Platform, Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758	Hot News	9.6
3431794	[CVE-2024-28165] Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform Product- SAP BusinessObjects (Business Intelligence Platform), Versions – 430, 440	High	8.1
3441944	[CVE-2024-32730] Missing authorization check in SAP Enable Now Manager Product- SAP Enable Now, Version - 1704	Medium	6.5
3448445	[CVE-2024-34687] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application server for ABAP and ABAP Platform Product- SAP NetWeaver Application server for ABAP and ABAP Platform, Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 795, SAP_BASIS 796	Medium	6.5
3450286	[CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Product- SAP NetWeaver Application Server ABAP and ABAP Platform, Versions - SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758	Medium	6.1
3460772	[CVE-2024-33002] Cross-Site Scripting (XSS) Vulnerability in SAP S/4HANA (Document Service Handler for DPS) Product - SAP S/4HANA (Document Service Handler for DPS), Versions – SAP_BASIS 740, SAP_BASIS 750	Medium	6.1
3447467	[CVE-2024-32731] Missing Authorization check in SAP My Travel Requests Product- My Travel Requests, Version – 600	Medium	5.5
2745860	Update to Security Note released on May 2021 Patch Day: Information Disclosure in Enterprise Services Repository of SAP Process Integration Product - SAP Process Integration, Versions - MESSAGING 7.31, MESSAGING 7.40, MESSAGING 7.50, NWCEIDE 7.31, SAP_XIESR 7.31, SAP_XIESR 7.40, SAP_XIESR 7.50, SAP_XITOOL 7.31, SAP_XITOOL 7.40, SAP_XITOOL 7.50, SAP_XIAF 7.31, SAP_XIAF 7.40, SAP_XIAF 7.50, SAP_XIGUILIB 7.31, SAP_XIGUILIB 7.40, SAP_XIGUILIB 7.50	Medium	5.3
3349468	[CVE-2024-33008] Memory Corruption vulnerability in SAP Replication Server Product – SAP Replication Server, Versions – 16.0, 16.0.3, 16.0.4	Medium	4.9
3434666	[Multiple CVEs] Missing Authorization Checks in SAP S/4 HANA (Manage Bank Statement Reprocessing Rules) CVEs - CVE-2024-4139, CVE-2024-4138 Product – SAP S/4 HANA (Manage Bank Statement Reprocessing Rules), Versions – SAPSCORE 131, S4CORE 105, S4CORE 106, S4CORE107, S4CORE 108	Medium	4.3
3449093	[CVE-2024-33004] Insecure Storage vulnerability in SAP BusinessObjects Business Intelligence Platform (Webservices) Product – SAP BusinessObjects Business Intelligence Platform (Webservices), Versions – 430, 440	Medium	4.3
2174651	Update to Security Note released on December 2017 Patch Day: Potential information disclosure relating to PI Integration Directory Product - SAP Process Integration, Versions - MESSAGING 7.10, MESSAGING 7.11, MESSAGING 7.30, MESSAGING 7.31, MESSAGING 7.40, MESSAGING 7.50, NWCEIDE 7.31, SAP_XITOOL 7.00, SAP_XITOOL 7.01, SAP_XITOOL 7.02, SAP_XITOOL 7.10, SAP_XITOOL 7.11, SAP_XITOOL 7.30, SAP_XITOOL 7.31, SAP_XITOOL 7.40, SAP_XITOOL 7.50, SAP_XIAF 7.31, SAP_XIAF 7.40, SAP_XIAF 7.50, SAP_XIPCK 7.00, SAP_XIPCK 7.01, SAP_XIPCK 7.02, SAP_XIPCK 7.10, SAP_XIPCK 7.11, SAP_XIPCK 7.30	Medium	4.3
1938764	[CVE-2024-33009] SQL injection vulnerability in SAP Global Label Management (GLM) Product – SAP Global Label Management (GLM), Versions – 605, 606, 616, 617	Medium	4.2
3392049	[CVE-2024-33000] Missing Authorization check in SAP Bank Account Management Product – SAP Bank Account Management, Versions – 100, 101, 102, 103, 104, 105, 106, 107, 108	Low	3.5
3446076	[CVE-2024-33007] Client-side script execution vulnerability in SAP UI5(PDFViewer) Product - SAPUI5, Versions – 754, 755, 756, 757, 758	Low	3.5

To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.

Archived blogs from previous years are available here.

If you have any comments or feedback about this post, you can write to secure@sap.com.

SAP is committed to deliver trustworthy products and cloud services. Secure configuration is essential to ensure secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.