SAP April 2024 patch fixes several high severity issues
Take action: This month the SAP patches are not critical, so you can plan for a regular patch cycle. Focus on SAP NetWeaver Application Server and SAP Business object when planning.
Learn More
SAP released the April 2024 set of patches addressing a series of security vulnerabilities across its products. This latest security update includes ten new and two updated security notes, with three classified as high-severity based on their potential impact.
- Missing checks in programming logic in SAP NetWeaver Application Server Java User Management Engine, tracked as CVE-2024-27899 (CVSS score 8.8). This flaw arises from the engine's optional "self-registration" and "modify your own profile" features, which fail to enforce SAP's standard password requirements, potentially allowing the creation of weak passwords.
- Information disclosure vulnerability in its BusinessObjects Web Intelligence product tracked as CVE-2024-25646 (CVSS score 7.7) due to insufficient validation checks when uploading Excel files.
- Directory traversal bug in Asset Accounting tracked as CVE-2024-27901 (CVSS score 7.2).
The remaining security notes issued by SAP address medium-severity vulnerabilities in various products including Integration Suite, NetWeaver, Group Reporting Data Collection, Business Connector, and S/4HANA, among others.
SAP also updated security notes from May 2022 and August 2023, related to an information disclosure flaw in Employee Self Service and a URL redirection bug in S/4HANA, respectively.
