SAP releases August patch, fixing 17 new flaws and updating 8, including two critical

SAP has released its August 2024 security patch package, addressing new 17 vulnerabilities and updating 8, including two critical flaws.

Critical vulnerabilities

• CVE-2024-41730 (CVSS score 9.8) and allows remote attackers to fully compromise SAP BusinessObjects Business Intelligence Platform versions 430 and 440. The flaw arises from a "missing authentication check" and is exploitable when Single Sign-On (SSO) is enabled on Enterprise authentication. Attackers can exploit a REST endpoint to obtain a logon token, which could lead to a complete compromise of the system, severely impacting confidentiality, integrity, and availability.
• CVE-2024-29415 (CVSS score 9.1) is a server-side request forgery (SSRF) vulnerability affects applications built with SAP Build Apps versions earlier than 4.11.130. The flaw is related to the 'IP' package for Node.js, which incorrectly identifies '127.0.0.1' as a public and globally routable IP address when in octal representation, due to an incomplete fix of a previous vulnerability (CVE-2023-42282).

SAP also resolved four high-severity vulnerabilities

• CVE-2024-42374 (CVSS score 8.2): An XML injection issue in the SAP BEx Web Java Runtime Export Web Service, affecting multiple BI-BASE and BIWEBAPP 7.5 versions.
• CVE-2023-30533 (CVSS score 7.8): A prototype pollution flaw in SAP S/4 HANA's Manage Supply Protection module, impacting older library versions of SheetJS CE below 0.19.3.
• CVE-2024-34688 (CVSS score 7.5): A Denial of Service (DoS) vulnerability in SAP NetWeaver AS Java, specifically within the Meta Model Repository component version MMR_SERVER 7.5.
• CVE-2024-33003 (CVSS score 7.4): An information disclosure issue in SAP Commerce Cloud, affecting versions from HY_COM 1808 to COM_CLOUD 2211.

Users of SAP products are advised to review the patch release and update their systems.