Information to be disclosed:
In the latest SAP Patch Day, the company worked closely with the Onapsis Research Labs to fix a total of five vulnerabilities from four SAP security notes.
One of the most critical issues addressed was SAP Security Note #3417627, rated with a CVSS score of 8.8. This update addresses a Cross-Site Scripting vulnerability in SAP NetWeaver AS Java, posing a significant threat to data integrity and user privacy.
Another high-priority issue was SAP Security Note #3561264, which addresses a vulnerability in SAP NetWeaver Application Server AS ABAP that makes information publicly accessible, earning it a CVSS score of 5.3.
SAP Security Note #3567172, rated with a CVSS score of 7.5, tackles multiple security vulnerabilities in SAP Enterprise Project Connection.
A vulnerability with a CVSS score of 8.7, addressed by SAP Security Note #3525794, impacts the permission check in the SAP BusinessObjects (SAP BO) Business Intelligence platform.
The Onapsis Platform has already been updated to integrate these newly published vulnerabilities into the product. It's worth noting that four of the 19 new security notes were provided in collaboration with the Onapsis Research Labs.
SAP Enterprise Project Connection was also found to use versions of the Spring Framework open-source libraries that may be vulnerable to CVE-2024-38819, CVE-2024-38820, and CVE-2024-38828.
The general maintenance window for SAP Enterprise Project Connection 3.0 ends on October 14, 2025.
The Onapsis Research Labs team made a significant contribution to the security of SAP customers worldwide during this Patch Day. However, the name of the research group that assisted SAP in addressing five security vulnerabilities in the February 2024 issue is not identified in the provided search results.
Additionally, SAP Security Note #3567551, rated with a CVSS score of 8.6, was patched in collaboration with the Onapsis Research Labs and addresses a critical path traversal vulnerability in an accessible servlet of SAP Supplier Relationship Management (Master Data Management Catalog).
Three more vulnerabilities were also resolved during this Patch Day, contributed by the Onapsis Research Labs (ORL) team, in addition to High Priority SAP Security Notes #3567551 and #3563929.
It's essential to note that an attacker can gain access to sensitive information by specifying a particular user. For details on all security notes, please visit the Onapsis Blog. Users who have activated the ICF services /sap/public/bc/workflow/shortcut or /sap/bc/workflow/shortcut are potentially affected by this vulnerability.
Subscribing to the monthly Onapsis Defender's Digest newsletter provides more information on the latest SAP security issues and the ongoing efforts to share knowledge with the security community.
Read also:
- Musk threatens Apple with litigation amidst increasing conflict surrounding Altman's OpenAI endeavor
- Transitioning to Electric Vehicles Places Heavy Demand on Power Grids
- E-mobility continues its progress after a decade since the scandal, staying on course
- The Commission deems the assistance program to be in agreement with the domestic market regulations.
