Skip links
RedRays - Your SAP Security Solution
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

SAP Security Patch Day – March 2024

On March 12, 2024, SAP took a significant step towards enhancing the security of its software components by releasing a series of patches aimed at addressing various vulnerabilities. This initiative, part of SAP’s ongoing commitment to software security, targeted a range of issues from code injection to information disclosure vulnerabilities across different SAP products.

Key Highlights from March 2024

Several critical patches were released on March 2024 SAP Security Patch Day, and vulnerabilities were rated based on their severity using the Common Vulnerability Scoring System (CVSS).

NOTE NUMBERTITLECVSS SCOREPRIORITYPATCH DATE
2622660Security updates for the browser control Google Chromium delivered with SAP Business Client10.0HotNews12.03.2024
3425274[CVE-2019-10744] Code Injection vulnerability in applications built with SAP Build Apps9.4HotNews12.03.2024
3433192[CVE-2024-22127] Code Injection vulnerability in SAP NetWeaver AS Java (Administrator Log Viewer plug-in)9.1HotNews12.03.2024
3410615[CVE-2023-44487 ] Denial of service (DOS) in SAP HANA XS Classic and HANA XS Advanced7.5Correction with high priority12.03.2024
3414195[CVE-2023-50164] Path Traversal Vulnerability in SAP BusinessObjects Business Intelligence Platform (Central Management Console)7.2Correction with high priority12.03.2024
3377979[CVE-2024-27902] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP, applications based on SAPGUI for HTML (WebGUI)5.4Correction with medium priority12.03.2024
3434192[CVE-2024-28163] Information Disclosure vulnerability in SAP NetWeaver Process Integration (Support Web Pages)5.3Correction with medium priority12.03.2024
3425682[CVE-2024-25644] Information Disclosure vulnerability in SAP NetWeaver (WSRM)5.3Correction with medium priority12.03.2024
3428847[CVE-2024-25645] Information Disclosure vulnerability in SAP NetWeaver (Enterprise Portal)5.3Correction with medium priority12.03.2024
3417399[CVE-2024-22133] Improper Access Control in SAP Fiori Front End Server4.6Correction with medium priority12.03.2024
3419022[CVE-2024-27900] Missing Authorization check in SAP ABAP Platform4.3Correction with medium priority12.03.2024

Total Number of Vulnerabilities Fixed: 11

Severity Distribution:

  • HotNews (Critical Severity): 3 vulnerabilities
    • Highest CVSS Score: 10.0
    • Vulnerabilities with CVSS Scores ≥ 9.0: 3
  • Correction with High Priority: 2 vulnerabilities
    • Range of CVSS Scores: 7.2 – 7.5
  • Correction with Medium Priority: 6 vulnerabilities
    • Range of CVSS Scores: 4.3 – 5.4

Vulnerability Types Addressed:

  • Code Injection: 2 vulnerabilities
  • Denial of Service (DOS): 1 vulnerability
  • Path Traversal: 1 vulnerability
  • Cross-Site Scripting (XSS): 1 vulnerability
  • Information Disclosure: 4 vulnerabilities
  • Improper Access Control: 1 vulnerability
  • Missing Authorization Check: 1 vulnerability

To request private analytics with detailed PoC, please use the contact form of the RedRays website.

 

More to explorer

SAP Cloud Connector Certificate Validation Issue

February 13, 2024

Date of Release: February 13, 2024 Advisory ID: CVE-2024-25642 Affected Software: SAP Cloud Connector Versions Affected: 2.15.0 to 2.16.1 Vulnerability Summary:A critical vulnerability,