SAP has released its monthly security patches for August 2024, addressing vulnerabilities across its product portfolio. The update includes fixes for 17 new security notes and 8 updates to previously released notes.
The critical vulnerability tracked as CVE-2024-41730 with a CVSS score of 9.8, impacts the SAP BusinessObjects Business Intelligence Platform that allows an unauthorized user to obtain a logon token and potentially gain full control of the system, leading to severe consequences for confidentiality, integrity, and availability.
Another high-priority vulnerability, CVE-2024-29415 with a CVSS score of 9.1, affects applications built with SAP Build Apps. This Server-Side Request Forgery vulnerability allow attackers to exploit the server to make requests on their behalf, potentially leading to data breaches or unauthorized actions.
The August patch also addresses vulnerabilities in various other SAP products, including SAP BEx Web Java Runtime Export Web Service, SAP S/4 HANA, SAP Commerce Cloud, SAP NetWeaver AS Java, SAP Landscape Management, SAP Replication Server, and more. These vulnerabilities range in severity from medium to high, with potential impacts including denial of service, information disclosure, and unauthorized access.
SAP administrators are strongly urged to review and apply the relevant Security Notes as soon as possible. For detailed information on all the vulnerabilities addressed in the August 2024 Security Patch Day, refer to the SAP Support
Patch Summary
| CVE ID | CVE Title |
| CVE-2024-41730 | Missing Authentication check in SAP BusinessObjects Business Intelligence Platform |
| CVE-2024-29415 | Server-Side Request Forgery vulnerability in applications built with SAP Build Apps |
| CVE-2024-42374 | XML injection in SAP BEx Web Java Runtime Export Web Service |
| CVE-2023-30533 | Prototype Pollution in SAP S/4 HANA (Manage Supply Protection) |
| CVE-2024-34688 | Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) |
| CVE-2024-33003 | Information Disclosure Vulnerability in SAP Commerce Cloud |
| CVE-2024-39593 | Information Disclosure vulnerability in SAP Landscape Management |
| CVE-2024-34683 | Unrestricted file upload in SAP Document Builder (HTTP service) |
| CVE-2024-42376 | Multiple Missing Authorization Check vulnerabilities in SAP Shared Service Framework |
| CVE-2024-33005 | Missing Authorization check in SAP NetWeaver Application Server (ABAP and Java), SAP Web Dispatcher and SAP Content Server |
| CVE-2024-39594 | Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse – Business Planning and Simulation |
| CVE-2024-37176 | Missing Authorization check in SAP BW/4HANA Transformation and DTP |
| CVE-2024-41735 | Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice |
| CVE-2024-41733 | Information Disclosure Vulnerability in SAP Commerce |
| CVE-2024-41737 | Server-Side Request Forgery (SSRF) in SAP CRM ABAP (Insights Management) |
| CVE-2024-34689 | Server-Side Request Forgery in SAP Business Workflow (WebFlow Services) |
| CVE-2024-41732 | Improper Access Control in SAP Netweaver Application Server ABAP |
| CVE-2023-0023 | Information Disclosure in SAP Bank Account Management (Manage Banks) |
| CVE-2024-42375 | Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform |
| CVE-2024-41736 | Information Disclosure vulnerability in SAP Permit to Work |
| CVE-2024-39591 | Missing Authorization check in SAP Document Builder |
| CVE-2024-42373 | Missing Authorization Check in SAP Student Life Cycle Management (SLcM) |
| CVE-2024-41734 | Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform |
| CVE-2024-37180 | Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform |
