Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security Patch Day – April 2024

On April 9, 2024, SAP took a significant step towards enhancing the security of its software components by releasing a series of patches aimed at addressing various vulnerabilities. This initiative, part of SAP’s ongoing commitment to software security, targeted a range of issues from code injection to information disclosure vulnerabilities across different SAP products.

Key Highlights from April 2024

Several critical patches were released on April 2024 SAP Security Patch Day, and vulnerabilities were rated based on their severity using the Common Vulnerability Scoring System (CVSS).

SAP ComponentNumberTitleCVSS ScoreCategoryPriorityReleased On
BC-JAS-SEC-UME3434839[CVE-2024-27899] Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine8.8Program errorCorrection with high priority09.04.2024
BI-RA-WBI3421384[CVE-2024-25646] Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence7.7Program errorCorrection with high priority09.04.2024
FI-AA-AA-A3438234[CVE-2024-27901] Directory Traversal vulnerability in SAP Asset Accounting7.2Program errorCorrection with high priority09.04.2024
LOD-HCI-PI-OP-NM3442741Stack overflow vulnerability on the component images of SAP Integration Suite (EDGE INTEGRATION CELL)6.8Program errorCorrection with medium priority09.04.2024
PA-FIO-LEA3164677[CVE-2022-29613] Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request)6.5Program errorCorrection with medium priority09.04.2024
BC-CST-DP3359778[CVE-2024-30218] Denial of service (DOS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform6.5Program errorCorrection with medium priority09.04.2024
FIN-CS-CDC-DC3442378[CVE-2024-28167] Missing Authorization check in SAP Group Reporting Data Collection (Enter Package Data)6.5Program errorCorrection with medium priority09.04.2024
MM-FIO-PUR-REQ-SSP3156972[CVE-2023-40306] URL Redirection vulnerability in SAP S/4HANA (Manage Catalog Items and Cross-Catalog search)6.1Program errorCorrection with medium priority09.04.2024
BC-ESI-WS-JAV-RT3425188[CVE-2024-27898] Server-Side Request Forgery in SAP NetWeaver (tcesiespgrmgwshealthcheck~ear)5.3Program errorCorrection with medium priority09.04.2024
BC-MID-BUS3421453[Multiple CVEs] Cross-Site Scripting (XSS) vulnerabilities in SAP Business Connector4.8Program errorCorrection with medium priority09.04.2024
FIN-FSCM-CLM-BAM3430173[CVE-2024-30217] Missing Authorization check in SAP S/4 HANA (Cash Management)4.3Program errorCorrection with medium priority09.04.2024
FIN-FSCM-CLM-BAM3427178[CVE-2024-30216] Missing Authorization check in SAP S/4 HANA (Cash Management)4.3Program errorCorrection with medium priority09.04.2024
 
 
 
 

Total Number of Vulnerabilities Fixed: 12

Severity Distribution:

  • Correction with High Priority: 3 vulnerabilities
    • Range of CVSS Scores: 7.2 – 8.8
  • Correction with Medium Priority: 9 vulnerabilities
    • Range of CVSS Scores: 4.3 – 6.8

Vulnerability Types Addressed:

  • Denial of Service (DOS): 1 vulnerability
  • Path Traversal: 1 vulnerability
  • Cross-Site Scripting (XSS): 2 vulnerabilities
  • Information Disclosure: 3 vulnerabilities
  • Improper Access Control: 2 vulnerabilities
  • Missing Authorization Check: 3 vulnerabilities

To request private analytics with detailed PoC, please use the contact form of the RedRays website.

 

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.