SAP Security Patch Day – January 2024

On January 9th, 2024, SAP released a crucial set of security patches. These updates are essential for addressing a variety of vulnerabilities discovered in different SAP components. The primary focus of this SAP Security Patch Day is on fixing program errors that could result in significant security vulnerabilities. Below, you will find a comprehensive summary of the security notes issued, sorted by their severity based on the Common Vulnerability Scoring System (CVSS) scores:

Vulnerability ID	CVE Number	Description	CVSS Score	Release Date	Update Date
3413475	Multiple CVEs	Escalation of Privileges in SAP Edge Integration Cell	9.1	09.01.2024	09.01.2024
3412456	CVE-2023-49583	Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA	9.1	09.01.2024	09.01.2024
3411869	CVE-2024-21737	Code Injection vulnerability in SAP Application Interface Framework (File Adapter)	8.4	09.01.2024	09.01.2024
3386378	CVE-2024-22125	Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge)	7.4	09.01.2024	09.01.2024
3389917	CVE-2023-44487	Denial of service (DOS) in SAP Web Dispatcher, SAP NetWeaver Application server ABAP, and ABAP Platform	7.5	09.01.2024	09.01.2024
3407617	CVE-2024-21735	Improper Authorization check in SAP LT Replication Server	7.3	09.01.2024	09.01.2024
3260667	CVE-2024-21736	Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management)	6.4	09.01.2024	09.01.2024
3392626	CVE-2024-22124	Information Disclosure vulnerability in SAP NetWeaver Internet Communication Manager	4.1	09.01.2024	09.01.2024
3387737	CVE-2024-21738	Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Application Server and ABAP Platform	4.1	09.01.2024	09.01.2024
3190894	CVE-2024-21734	URL Redirection vulnerability in SAP Marketing (Contacts App)	3.7	09.01.2024	09.01.2024

Statistics:

Total new SAP notes released: 10
Total vulnerabilities addressed: 10
Highest CVSS Score: 9.1 (HotNews)

Top 3 Critical Issues:

BC-CP-IS-EDG-DPL & CA-BAS-S8D [Multiple CVEs & CVE-2023-49583]: Escalation of Privileges in SAP Edge Integration Cell and applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack, and SAP Web IDE for SAP HANA (CVSS Score: 9.1)

These vulnerabilities could lead to unauthorized escalation of privileges, posing a significant threat to system security and data integrity.
BC-SRV-AIF [CVE-2024-21737]: Code Injection vulnerability in SAP Application Interface Framework (File Adapter) (CVSS Score: 8.4)

This issue allows attackers to inject malicious code, potentially compromising the confidentiality, integrity, and availability of the system.
BC-FES-CTL [CVE-2024-22125]: Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) (CVSS Score: 7.4)

This vulnerability could lead to unauthorized disclosure of sensitive information, impacting the confidentiality of data processed through the SAP GUI connector for Microsoft Edge.

Explore More

Redis CVE-2023-36824 – How to Reproduce the Vulnerability

November 19, 2024

Introduction An issue affecting the `getKeysUsingKeySpecs` functionality in Redis has been patched at 2023-07-11. This bug could result in server crashes when

Redis CVE-2024-31449: How to Reproduce and Mitigate the Vulnerability

November 18, 2024

On October 7, 2024, information about a serious vulnerability in Redis, identified as CVE-2024-31449, was published. This vulnerability allows an authenticated user

Reproducing CVE-2024-10979: A Step-by-Step Guide

November 15, 2024

In this blog post, we’ll explore how to reproduce the vulnerability described in CVE-2024-10979, where environment variable mutations are incorrectly allowed from

SAP Security Patch Day – November 2024

November 12, 2024

SAP Security Patch Day – November 2024 Introduction November 2024 brings critical updates for SAP systems worldwide with the release of new

Vahagn Vardanian