SAP Security Notes – June 2024 - Safe O'Clock

SAP Security Notes – June 2024

June 11, 2024

On the 11th of June 2024, SAP Security Patch Day saw the release of 10 new Security Notes.

There were 2 updates to previously released Security Notes.

 

Notes by severity

 

HotNews 0
Correction with high priority 2
Correction with medium priority 8
Correction with low priority 2

 

Highlights


On June Patch Day SAP presents 2 high-severity Notes, with none of them rated as HotNews.

 

Despite the fact that the June patch day can delight us with only a few high-priority vulnerabilities, we’ll share with you what you need to pay attention to first in this monthly SAP security Notes update.

Starting today’s digest with SAP Financial Consolidation security patch Note 3457592Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation – with a CVSS Score of 8.1.
Two vulnerabilities in SAP Financial Consolidation are addressed in this security note:
Reflected XSS: Data can enter a Web application through an untrusted source thanks to SAP Financial Consolidation. The user can alter the content on the website by accessing these endpoints, which are visible across the network. An attacker has the potential to seriously compromise the application’s integrity and confidentiality if they are successful in their exploit.

Stored XSS: An XSS vulnerability arises from SAP Financial Consolidation‘s inadequate encoding of user-controlled inputs. The network can access these endpoints. Resources outside of the compromised component can be exploited by the vulnerability. An attacker can only slightly compromise the application’s secrecy if they are successful in their exploit.

You can find additional information on Note corrections and prerequisites in CVE-2024-37177 and CVE-2024-37178 guidelines correspondingly.

The next high-severity security Note to highlight will be the Note 3460407Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) – with a CVSS Score of 7.5.
Attackers can launch denial-of-service (DoS) attacks against SAP NetWeaver AS Java because of the unfettered access to the Meta Model Repository services, which could bar genuine users from using the program. This may have little effect on integrity and confidentiality but a significant influence on the application’s accessibility.

 

Another Note to bring forward is medium-severity Note 3453170Denial of service (DOS) in SAP NetWeaver and ABAP platform – with a CVSS Score of 6.5.
By overloading or disrupting the service, an attacker might obstruct legitimate users’ ability to access SAP NetWeaver and the ABAP platform.

This Denial of Service vulnerability may result in lengthy response times and service outages, which would negatively affect the quality of service that authorized users receive and have a significant effect on the application’s availability.

 

SAP Document Builder received a patch today in the face of the Note 3459379Unrestricted file upload in SAP Document Builder (HTTP service) – with a CVSS Score of 6.5.
Malicious files can be uploaded to the SAP Document Builder service by an authorized attacker. The attacker is free to view, alter, or prevent the victim’s browser from displaying any associated content when they gain access to this file.

The last Note with 6.5 CVSS Score for today will be 3466175Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files).
The application Manage Incoming Payment Files (F1680) of SAP S/4HANA fails to carry out the required authorization checks for a verified user, which leads to privilege escalation. Consequently, it has little effect on the system’s availability or confidentiality and a significant impact on its integrity.

Today’s patch was a good start for SAP’s summer security improvement season. We look forward to informing you of every next significant vulnerability of this summer.

Stay safe!



SAP Component Number Description Priority CVSS CVSS Vector
EPM-BFC-TCL 3457592 [CVE-2024-37177] Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation high 8.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
BC-DWB-JAV-MMR 3460407 [CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) high 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SV-SMG-SDD 3453170 [CVE-2024-33001] Denial of service (DOS) in SAP NetWeaver and ABAP platform medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CA-GTF-DOB 3459379 [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
FI-FIO-AR-PAY 3466175 [CVE-2024-34691] Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files) medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CA-WUI-UI 3465129 [CVE-2024-34686] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-MID-AC 3450286 [CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BW4-DM-TRFN 3465455 [CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP medium 5.5 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L
IS-HER-CM-AD 3457265 [CVE-2024-34690] Missing Authorization check in SAP Student Life Cycle Management (SLcM) medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
BC-GP 3425571 [CVE-2024-28164] Information Disclosure vulnerability in SAP NetWeaver AS Java (Guided Procedures) medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
FI-CF-INF 2638217 Switchable Authorization Checks in Central Finance Infrastructure Components low 3.9 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
BI-BIP-PUB 3441817 [CVE-2024-34684] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling) low 3.7 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – December 2024

On the 10th of December 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP Security Notes – November 2024

On the 12th of November 2024, SAP Security Patch Day saw the release of 8 new Security Notes. There were […]

Read more
SAP Security Notes – October 2024

On the 8th of October 2024, SAP Security Patch Day saw the release of 6 new Security Notes. There were […]

Read more
SAP Security Notes – September 2024

On the 10th of September 2024, SAP Security Patch Day saw the release of 16 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK