On April 9, 2024, SAP took a significant step towards enhancing the security of its software components by releasing a series of patches aimed at addressing various vulnerabilities. This initiative, part of SAP’s ongoing commitment to software security, targeted a range of issues from code injection to information disclosure vulnerabilities across different SAP products.
Key Highlights from April 2024
Several critical patches were released on April 2024 SAP Security Patch Day, and vulnerabilities were rated based on their severity using the Common Vulnerability Scoring System (CVSS).
| SAP Component | Number | Title | CVSS Score | Category | Priority | Released On |
|---|---|---|---|---|---|---|
| BC-JAS-SEC-UME | 3434839 | [CVE-2024-27899] Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine | 8.8 | Program error | Correction with high priority | 09.04.2024 |
| BI-RA-WBI | 3421384 | [CVE-2024-25646] Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence | 7.7 | Program error | Correction with high priority | 09.04.2024 |
| FI-AA-AA-A | 3438234 | [CVE-2024-27901] Directory Traversal vulnerability in SAP Asset Accounting | 7.2 | Program error | Correction with high priority | 09.04.2024 |
| LOD-HCI-PI-OP-NM | 3442741 | Stack overflow vulnerability on the component images of SAP Integration Suite (EDGE INTEGRATION CELL) | 6.8 | Program error | Correction with medium priority | 09.04.2024 |
| PA-FIO-LEA | 3164677 | [CVE-2022-29613] Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request) | 6.5 | Program error | Correction with medium priority | 09.04.2024 |
| BC-CST-DP | 3359778 | [CVE-2024-30218] Denial of service (DOS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform | 6.5 | Program error | Correction with medium priority | 09.04.2024 |
| FIN-CS-CDC-DC | 3442378 | [CVE-2024-28167] Missing Authorization check in SAP Group Reporting Data Collection (Enter Package Data) | 6.5 | Program error | Correction with medium priority | 09.04.2024 |
| MM-FIO-PUR-REQ-SSP | 3156972 | [CVE-2023-40306] URL Redirection vulnerability in SAP S/4HANA (Manage Catalog Items and Cross-Catalog search) | 6.1 | Program error | Correction with medium priority | 09.04.2024 |
| BC-ESI-WS-JAV-RT | 3425188 | [CVE-2024-27898] Server-Side Request Forgery in SAP NetWeaver (tc | 5.3 | Program error | Correction with medium priority | 09.04.2024 |
| BC-MID-BUS | 3421453 | [Multiple CVEs] Cross-Site Scripting (XSS) vulnerabilities in SAP Business Connector | 4.8 | Program error | Correction with medium priority | 09.04.2024 |
| FIN-FSCM-CLM-BAM | 3430173 | [CVE-2024-30217] Missing Authorization check in SAP S/4 HANA (Cash Management) | 4.3 | Program error | Correction with medium priority | 09.04.2024 |
| FIN-FSCM-CLM-BAM | 3427178 | [CVE-2024-30216] Missing Authorization check in SAP S/4 HANA (Cash Management) | 4.3 | Program error | Correction with medium priority | 09.04.2024 |
