May 2024 SAP Security Patch Day

Vulnerability: Multiple vulnerabilities in SAP CX Commerce
1. SAP Component: CEC-SCC-PLA-PL
2. CVE ID: CVE-2019-17495
3. CVSS Score: 9.8
4. CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
5. Category: Program error
6. Priority: HotNews
7. Released On: 14.05.2024
8. First Released On: 14.05.2024
Vulnerability: File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
- SAP Component: BC-SRV-KPR-CMS
- CVE ID: CVE-2024-33006
- CVSS Score: 9.6
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
- Category: Program error
- Priority: HotNews
- Released On: 14.05.2024
- First Released On: 14.05.2024
Vulnerability: Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform
- SAP Component: BI-BIP-INV
- CVE ID: CVE-2024-28165
- CVSS Score: 8.1
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
- Category: Program error
- Priority: Correction with high priority
- Released On: 14.05.2024
- First Released On: 14.05.2024
Vulnerability: Information Disclosure in Enterprise Services Repository of SAP Process Integration
- SAP Component: BC-XI-IBD-INF
- CVE ID: (Not provided)
- CVSS Score: 5.3
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Category: Program error
- Priority: Correction with medium priority
- Released On: 14.05.2024
- First Released On: 11.05.2021
Vulnerability: Missing Authorization check in SAP S/4 HANA (Manage Bank Statement Reprocessing Rules)
- SAP Component: FI-FIO-AR-PAY
- CVE ID: Multiple CVEs
- CVSS Score: 4.3
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Category: Program error
- Priority: Correction with medium priority
- Released On: 14.05.2024
- First Released On: 14.05.2024
Vulnerability: SQL injection vulnerability in SAP Global Label Management (GLM)
- SAP Component: EHS-SAF-GLM
- CVE ID: CVE-2024-33009
- CVSS Score: 4.2
- CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
- Category: Program error
- Priority: Correction with medium priority
- Released On: 14.05.2024
- First Released On: 14.05.2024
Vulnerability: Memory Corruption vulnerability in SAP Replication Server
- SAP Component: BC-SYB-REP
- CVE ID: CVE-2024-33008
- CVSS Score: 4.9
- CVSS Vector: CVSS:/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
- Category: Program error
- Priority: Correction with medium priority
- Released On: 14.05.2024
- First Released On: 14.05.2024
Vulnerability: Potential information disclosure relating to PI Integration Directory
- SAP Component: BC-XI-IBC
- CVE ID: (Not provided)
- CVSS Score: 4.3
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Category: Program error
- Priority: Correction with medium priority
- Released On: 14.05.2024
- First Released On: 07.12.2017
Vulnerability: Missing Authorization check in SAP My Travel Requests
- SAP Component: FI-TV-ODT-MTR
- CVE ID: CVE-2024-32731
- CVSS Score: 5.5
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
- Category: Program error
- Priority: Correction with medium priority
- Released On: 14.05.2024
- First Released On: 14.05.2024
Vulnerability: Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
- SAP Component: BC-MID-AC
- CVE ID: CVE-2024-32733
- CVSS Score: 6.1
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Category: Program error
- Priority: Correction with medium priority
- Released On: 14.05.2024
- First Released On: 14.05.2024
Vulnerability: Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application server for ABAP and ABAP Platform
- SAP Component: BC-SRV-GBT-GOS
- CVE ID: CVE-2024-34687
- CVSS Score: 6.5
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
- Category: Program error
- Priority: Correction with medium priority
- Released On: 14.05.2024
- First Released On: 14.05.2024
Vulnerability: Cross-Site Scripting (XSS) Vulnerability in SAP S/4HANA (Document Service Handler for DPS)
- SAP Component: BC-EIM-ESH
- CVE ID: CVE-2024-33002
- CVSS Score: 6.1
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Category: Program error
- Priority: Correction with medium priority
- Released On: 14.05.2024
- First Released On: 14.05.2024
Vulnerability: Client-side script execution vulnerability in SAP UI5 (PDFViewer)
- SAP Component: CA-UI5-SC
- CVE ID: CVE-2024-33007
- CVSS Score: 3.5
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
- Category: Program error
- Priority: Correction with low priority
- Released On: 14.05.2024
- First Released On: 14.05.2024
Vulnerability: Missing Authorization check in SAP Bank Account Management
- SAP Component: FIN-FSCM-CLM-BAM
- CVE ID: CVE-2024-33000
- CVSS Score: 3.5
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
- Category: Program error
- Priority: Correction with low priority
- Released On: 14.05.2024
- First Released On: 14.05.2024
Vulnerability: Insecure Storage vulnerability in SAP BusinessObjects Business Intelligence Platform (Webservices)
- SAP Component: BI-BIP-INV
- CVE ID: CVE-2024-33004
- CVSS Score: 4.3
- CVSS Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Category: Program error
- Priority: Correction with medium priority
- Released On: 14.05.2024
- First Released On: 14.05.2024
Vulnerability: Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
- SAP Component: BC-XI-IBC
- CVE ID: (Not provided)
- CVSS Score: 4.3
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Category: Program error
- Priority: Correction with medium priority
- Released On: 14.05.2024
- First Released On: 07.12.2017

May 2024 SAP Security Patch Day Highlights:

Total Number of Vulnerabilities: 16
Distribution of Vulnerabilities by Priority:
- HotNews: 2 vulnerabilities
- Correction with high priority: 1 vulnerability
- Correction with medium priority: 9 vulnerabilities
- Correction with low priority: 3 vulnerabilities
- Not specified: 1 vulnerability
Distribution of Vulnerabilities by Category:
- Program error: 16 vulnerabilities
Distribution of Vulnerabilities by CVSS Score:
- Score 9.8: 1 vulnerability
- Score 9.6: 1 vulnerability
- Score 8.1: 1 vulnerability
- Score 6.5: 1 vulnerability
- Score 6.1: 2 vulnerabilities
- Score 5.5: 1 vulnerability
- Score 5.3: 1 vulnerability
- Score 4.9: 1 vulnerability
- Score 4.3: 3 vulnerabilities
- Score 4.2: 1 vulnerability
- Score 3.5: 2 vulnerabilities
- Score 3.5: 1 vulnerability
- Score 3.5: 1 vulnerability
Distribution of Vulnerabilities by SAP Component:
- BC-SRV-KPR-CMS: 1 vulnerability
- BC-EIM-ESH: 1 vulnerability
- BI-BIP-INV: 2 vulnerabilities
- CA-UI5-SC: 1 vulnerability
- CEC-SCC-PLA-PL: 1 vulnerability
- EHS-SAF-GLM: 1 vulnerability
- BC-SYB-REP: 1 vulnerability
- BC-XI-IBD-INF: 1 vulnerability
- BC-XI-IBC: 2 vulnerabilities
- FIN-FSCM-CLM-BAM: 1 vulnerability
- FI-FIO-AR-PAY: 1 vulnerability
- BC-MID-AC: 1 vulnerability
- BC-SRV-GBT-GOS: 1 vulnerability
- FI-TV-ODT-MTR: 1 vulnerability

Explore More

RedRays AI for ABAP Code Security

December 17, 2024

Empowering Secure, Efficient, and Compliant SAP ABAP Development—in Real Time and Without Data Retention In today’s rapidly evolving business landscape, organizations increasingly

Critical Vulnerabilities in SAP NetWeaver AS for JAVA (Adobe Document Services)

December 10, 2024

On December 10, 2024, SAP released Security Note 3536965, addressing multiple high-severity vulnerabilities within Adobe Document Services of SAP NetWeaver AS for

SAP Security Patch Day – December 2024

December 10, 2024

SAP Security Patch Day – December 2024 Overview On December 10, 2024, SAP released its monthly Security Patch Day updates, addressing several

Redis CVE-2023-36824 – How to Reproduce the Vulnerability

November 19, 2024

Introduction An issue affecting the `getKeysUsingKeySpecs` functionality in Redis has been patched at 2023-07-11. This bug could result in server crashes when

Vahagn Vardanian