SAP Security Patch Day – January 2024

On January 9th, 2024, SAP released a crucial set of security patches. These updates are essential for addressing a variety of vulnerabilities discovered in different SAP components. The primary focus of this SAP Security Patch Day is on fixing program errors that could result in significant security vulnerabilities. Below, you will find a comprehensive summary of the security notes issued, sorted by their severity based on the Common Vulnerability Scoring System (CVSS) scores:

Vulnerability ID	CVE Number	Description	CVSS Score	Release Date	Update Date
3413475	Multiple CVEs	Escalation of Privileges in SAP Edge Integration Cell	9.1	09.01.2024	09.01.2024
3412456	CVE-2023-49583	Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA	9.1	09.01.2024	09.01.2024
3411869	CVE-2024-21737	Code Injection vulnerability in SAP Application Interface Framework (File Adapter)	8.4	09.01.2024	09.01.2024
3386378	CVE-2024-22125	Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge)	7.4	09.01.2024	09.01.2024
3389917	CVE-2023-44487	Denial of service (DOS) in SAP Web Dispatcher, SAP NetWeaver Application server ABAP, and ABAP Platform	7.5	09.01.2024	09.01.2024
3407617	CVE-2024-21735	Improper Authorization check in SAP LT Replication Server	7.3	09.01.2024	09.01.2024
3260667	CVE-2024-21736	Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management)	6.4	09.01.2024	09.01.2024
3392626	CVE-2024-22124	Information Disclosure vulnerability in SAP NetWeaver Internet Communication Manager	4.1	09.01.2024	09.01.2024
3387737	CVE-2024-21738	Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Application Server and ABAP Platform	4.1	09.01.2024	09.01.2024
3190894	CVE-2024-21734	URL Redirection vulnerability in SAP Marketing (Contacts App)	3.7	09.01.2024	09.01.2024

Statistics:

Total new SAP notes released: 10
Total vulnerabilities addressed: 10
Highest CVSS Score: 9.1 (HotNews)

Top 3 Critical Issues:

BC-CP-IS-EDG-DPL & CA-BAS-S8D [Multiple CVEs & CVE-2023-49583]: Escalation of Privileges in SAP Edge Integration Cell and applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack, and SAP Web IDE for SAP HANA (CVSS Score: 9.1)

These vulnerabilities could lead to unauthorized escalation of privileges, posing a significant threat to system security and data integrity.
BC-SRV-AIF [CVE-2024-21737]: Code Injection vulnerability in SAP Application Interface Framework (File Adapter) (CVSS Score: 8.4)

This issue allows attackers to inject malicious code, potentially compromising the confidentiality, integrity, and availability of the system.
BC-FES-CTL [CVE-2024-22125]: Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) (CVSS Score: 7.4)

This vulnerability could lead to unauthorized disclosure of sensitive information, impacting the confidentiality of data processed through the SAP GUI connector for Microsoft Edge.

How to detect over 4100 vulnerabilities in SAP Systems?

More to explorer

Secure Your SAP BTP Applications: A Guide to Protecting Your Business in the Cloud

May 2, 2024

As businesses increasingly rely on cloud platforms like SAP BTP to drive innovation and efficiency, ensuring the security of applications and data

SAP Security Patch Day – April 2024

April 9, 2024

On April 9, 2024, SAP took a significant step towards enhancing the security of its software components by releasing a series of

SAP Security Patch Day – March 2024

March 12, 2024

On March 12, 2024, SAP took a significant step towards enhancing the security of its software components by releasing a series of

SAP Cloud Connector Certificate Validation Issue

February 13, 2024

Date of Release: February 13, 2024 Advisory ID: CVE-2024-25642 Affected Software: SAP Cloud Connector Versions Affected: 2.15.0 to 2.16.1 Vulnerability Summary:A critical vulnerability,