Skip links

SAP Security Patch Day – April 2024

On April 9, 2024, SAP took a significant step towards enhancing the security of its software components by releasing a series of patches aimed at addressing various vulnerabilities. This initiative, part of SAP’s ongoing commitment to software security, targeted a range of issues from code injection to information disclosure vulnerabilities across different SAP products.

Key Highlights from April 2024

Several critical patches were released on April 2024 SAP Security Patch Day, and vulnerabilities were rated based on their severity using the Common Vulnerability Scoring System (CVSS).

SAP ComponentNumberTitleCVSS ScoreCategoryPriorityReleased On
BC-JAS-SEC-UME3434839[CVE-2024-27899] Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine8.8Program errorCorrection with high priority09.04.2024
BI-RA-WBI3421384[CVE-2024-25646] Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence7.7Program errorCorrection with high priority09.04.2024
FI-AA-AA-A3438234[CVE-2024-27901] Directory Traversal vulnerability in SAP Asset Accounting7.2Program errorCorrection with high priority09.04.2024
LOD-HCI-PI-OP-NM3442741Stack overflow vulnerability on the component images of SAP Integration Suite (EDGE INTEGRATION CELL)6.8Program errorCorrection with medium priority09.04.2024
PA-FIO-LEA3164677[CVE-2022-29613] Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request)6.5Program errorCorrection with medium priority09.04.2024
BC-CST-DP3359778[CVE-2024-30218] Denial of service (DOS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform6.5Program errorCorrection with medium priority09.04.2024
FIN-CS-CDC-DC3442378[CVE-2024-28167] Missing Authorization check in SAP Group Reporting Data Collection (Enter Package Data)6.5Program errorCorrection with medium priority09.04.2024
MM-FIO-PUR-REQ-SSP3156972[CVE-2023-40306] URL Redirection vulnerability in SAP S/4HANA (Manage Catalog Items and Cross-Catalog search)6.1Program errorCorrection with medium priority09.04.2024
BC-ESI-WS-JAV-RT3425188[CVE-2024-27898] Server-Side Request Forgery in SAP NetWeaver (tcesiespgrmgwshealthcheck~ear)5.3Program errorCorrection with medium priority09.04.2024
BC-MID-BUS3421453[Multiple CVEs] Cross-Site Scripting (XSS) vulnerabilities in SAP Business Connector4.8Program errorCorrection with medium priority09.04.2024
FIN-FSCM-CLM-BAM3430173[CVE-2024-30217] Missing Authorization check in SAP S/4 HANA (Cash Management)4.3Program errorCorrection with medium priority09.04.2024
FIN-FSCM-CLM-BAM3427178[CVE-2024-30216] Missing Authorization check in SAP S/4 HANA (Cash Management)4.3Program errorCorrection with medium priority09.04.2024

Total Number of Vulnerabilities Fixed: 12

Severity Distribution:

  • Correction with High Priority: 3 vulnerabilities
    • Range of CVSS Scores: 7.2 – 8.8
  • Correction with Medium Priority: 9 vulnerabilities
    • Range of CVSS Scores: 4.3 – 6.8

Vulnerability Types Addressed:

  • Denial of Service (DOS): 1 vulnerability
  • Path Traversal: 1 vulnerability
  • Cross-Site Scripting (XSS): 2 vulnerabilities
  • Information Disclosure: 3 vulnerabilities
  • Improper Access Control: 2 vulnerabilities
  • Missing Authorization Check: 3 vulnerabilities

To request private analytics with detailed PoC, please use the contact form of the RedRays website.


How to detect over 4100 vulnerabilities in SAP Systems?

More to explorer

Initiating SAP Penetration Testing

►   Pentest, short for penetration testing, refers to a set of processes that simulate an attacker’s actions to identify security vulnerabilities. Companies

SAP Security Patch Day RedRays

May 2024 SAP Security Patch Day

Vulnerability: Multiple vulnerabilities in SAP CX Commerce SAP Component: CEC-SCC-PLA-PL CVE ID: CVE-2019-17495 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Category: Program error