Skip links

SAP Security Patch Day – February 2024

On February 13th, 2024, SAP released a crucial set of security patches. These updates are essential for addressing a variety of vulnerabilities discovered in different SAP components. The primary focus of this SAP Security Patch Day is on fixing program errors that could result in significant security vulnerabilities. Below, you will find a comprehensive summary of the security notes issued, sorted by their severity based on the Common Vulnerability Scoring System (CVSS) scores:


ComponentNote NumberDescriptionCVSS ScorePriorityPatch Date
BC-FES-BUS-DSK2622660Security updates for the browser control Google Chromium delivered with SAP Business Client10.0HotNews10.04.2018
CA-SUR3420923[CVE-2024-22131] Code Injection vulnerability in SAP ABA (Application Basis)9.1HotNews13.02.2024
BC-JAS-SEC-UME3417627[CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application)8.8Correction with high priority13.02.2024
BC-GP3426111[CVE-2024-24743] XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures)8.6Correction with high priority13.02.2024
CA-WUI-UI3410875[CVE-2024-22130] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)7.6Correction with high priority13.02.2024
XX-IDES3421659[CVE-2024-22132] Code Injection vulnerability in SAP IDES Systems7.4Correction with high priority13.02.2024
BC-MID-SCC3424610[CVE-2024-25642] Improper Certificate Validation in SAP Cloud Connector7.4Correction with high priority13.02.2024
BC-FES-WGU3385711[CVE-2023-49580] Information disclosure vulnerability in SAP NetWeaver Application Server ABAP7.3Correction with high priority12.12.2023
FIN-FSCM-CLM2637727[CVE-2024-24739] Missing authorization check in SAP Bank Account Management6.3Correction with medium priority13.02.2024
KM-SEN-CMP3404025[CVE-2024-22129] Cross-Site Scripting (XSS) vulnerability in SAP Companion5.4Correction with medium priority13.02.2024
BC-FES-ITS3360827[CVE-2024-24740] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (SAP Kernel)5.3Correction with medium priority13.02.2024
BC-FES-BUS3396109[CVE-2024-22128] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Business Client for HTML4.7Correction with medium priority13.02.2024
CA-MDG-APP-MM2897391[CVE-2024-24741] Missing Authorization check in SAP Master Data Governance Material4.3Correction with medium priority01.02.2024
PA-FIO-OVT3237638[CVE-2024-25643] Missing authorization check in SAP Fiori app (“My Overtime Requests”)4.3Correction with medium priority13.02.2024
CA-WUI-WKB3158455[CVE-2024-24742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)4.1Correction with medium priority13.02.2024

Statistics:

  • Total new SAP notes released: 15
  • Total vulnerabilities addressed: 15
  • Highest CVSS Score: 10.0 (HotNews)

Top 3 Critical Issues:

  1. BC-FES-BUS-DSK: Security updates for the browser control Google Chromium delivered with SAP Business Client (CVSS Score: 10.0, Priority: HotNews)

    This critical issue involves updates to the browser control Google Chromium delivered with SAP Business Client, addressing significant security vulnerabilities that could potentially compromise system integrity and data security.

  2. CA-SUR: [CVE-2024-22131] Code Injection vulnerability in SAP ABA (Application Basis) (CVSS Score: 9.1, Priority: HotNews)

    This vulnerability allows for code injection in SAP ABA, posing a serious threat to the application basis layer by enabling unauthorized code execution that could compromise system security and data integrity.

  3. BC-JAS-SEC-UME: [CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application) (CVSS Score: 8.8, Priority: Correction with high priority)

    This issue represents a Cross-Site Scripting (XSS) vulnerability within the NetWeaver AS Java User Admin Application, which could allow for the execution of malicious scripts, potentially leading to unauthorized access and data breaches. ​

The vulnerabilities have been researched and integrated into the RedRays Security Platform database.

To request private analytics with detailed PoC, please use the contact form of the RedRays website.

Udemy SAP Security Course.

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series. This course will help you master SAP security fundamentals, from securing SAP environments to managing user access and addressing vulnerabilities. It is ideal for IT professionals and SAP administrators, providing practical skills to safeguard critical business assets. Whether you’re a beginner or an expert looking to deepen your SAP security knowledge, this course is perfect for you.

More to explorer

SAP Hash Cracking Techniques

Understanding Hash Cracking Hashing is a one-way encryption technique employed to ensure data integrity, authenticate information, and secure passwords alongside other sensitive

SAP Security Patch Day – September 2024

As the second Tuesday of September 2024 approaches, SAP administrators and security professionals are preparing for another crucial event: SAP Security Patch

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.