SAP releases May 2024 patch, fixes multiple critical issues
Take action: Another patch for multple products. Key focus should be on SAP CX Commerce, SAP Business Client Chromium browser and SAP NetWeaver Application Server as they carry the critical issues and are probably internet visible. For the rest, review your environment and apply the regular patching cycle.
Learn More
In the May Security Patch of 2024, SAP has released 13 new and 2 updated Security Notes. Two are classified as 'HotNews', a designation given to patches addressing critical vulnerabilities with a CVSS score of 9.0 or higher.
Critical issues:
- SAP Note 3455438 addresses vulnerabilities in SAP CX Commerce, tracked as CVE-2019-17495 and CVE-2022-36364, (both with CVSS score 9.8). These vulnerabilities were introduced via third-party libraries—Swagger UI and Apache Calcite Avatica—and are rectified by patching the HY_COM component.
- SAP Note 3448171, concerns a file upload vulnerability tracked as CVE-2024-33006 (CVSS score 9.6) in the SAP NetWeaver Application Server ABAP and ABAP Platform, an improper file handling flaw.
The patch day also tackled multiple Cross-Site Scripting (XSS) vulnerabilities across various SAP applications. These vulnerabilities, while less severe than the 'HotNews' items, still present significant security risks, with no workarounds available—only the application of patches will mitigate these issues.
The remainder of the patches address a variety of issues categorized from medium to low priority, including vulnerabilities related to authorization checks, information disclosure, and SQL injections.
Full list:
| SAP Note | Type | Description | Priority | CVSS |
| 2622660 | Update | Security updates for the browser control Google Chromium delivered with SAP Business Client BC-FES-BUS-DSK |
HotNews | 10,0 |
| 3455438 | New | [CVE-2019-17495] Multiple vulnerabilities in SAP CX Commerce CEC-SCC-PLA-PL |
HotNews | 9,8 |
| 3448171 | New | [CVE-2024-33006] File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform BC-SRV-KPR-CMS |
HotNews | 9,6 |
| 3431794 | New | [CVE-2024-28165] Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform BI-BIP-INV |
High | 8,1 |
| 3448445 | New | [CVE-2024-34687] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application server for ABAP and ABAP Platform BC-SRV-GBT-GOS |
Medium | 6,5 |
| 3441944 | Update | [CVE-2024-32730] Missing authorization check in SAP Enable Now Manager KM-SEN-MGR |
Medium | 6,5 |
| 3460772 | New | [CVE-2024-33002] Cross-Site Scripting (XSS) Vulnerability in SAP S/4HANA (Document Service Handler for DPS) BC-EIM-ESH |
Medium | 6,1 |
| 3450286 | New | [CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform BC-MID-AC |
Medium | 6,1 |
| 3447467 | New | [CVE-2024-32731] Missing Authorization check in SAP My Travel Requests FI-TV-ODT-MTR |
Medium | 5,5 |
| 2745860 | Update | Information Disclosure in Enterprise Services Repository of SAP Process Integration BC-XI-IBD-INF |
Medium | 5,3 |
| 3349468 | New | [CVE-2024-33008] Memory Corruption vulnerability in SAP Replication Server BC-SYB-REP |
Medium | 4,9 |
| 3449093 | New | [CVE-2024-33004] Insecure Storage vulnerability in SAP BusinessObjects Business Intelligence Platform (Webservices) BI-BIP-INV |
Medium | 4,3 |
| 3434666 | New | [Multiple CVEs] Missing Authorization Checks in SAP S/4 HANA (Manage Bank Statement Reprocessing Rules) FI-FIO-AR-PAY |
Medium | 4,3 |
| 2174651 | Update | Potential information disclosure relating to PI Integration Directory BC-XI-IBC |
Medium | 4,3 |
| 1938764 | New | [CVE-2024-33009] SQL injection vulnerability in SAP Global Label Management (GLM) EHS-SAF-GLM |
Medium | 4,2 |
| 3392049 | New | [CVE-2024-33000] Missing Authorization check in SAP Bank Account Management FIN-FSCM-CLM-BAM |
Low | 3,5 |
| 3446076 | New | [CVE-2024-33007] Client-side script execution vulnerability in SAP UI5(PDFViewer) CA-UI5-SC |
Low | 3,5 |
