SAP Security Update: 16 Flaws in Multiple SAP Products Addressed

SAP has released patches for 16 vulnerabilities with Serious, Excessive, Medium, and Low severities. The CVSS rankings for these vulnerabilities are between 3.7 (Low) to 9.8 (Serious) which contributes to 1 Serious, 6 Excessive, 7 Medium, and 1 Low severity vulnerability. One in every of the vulnerability CVSS rankings is yet to be confirmed.

SAP released these patches every month on their patch day. 14 Vulnerabilities were patched as talked about of their closing patch in July. Various the vulnerabilities this month are linked to products admire;

• SAP PowerDesigner
• SAP Enterprise One
• SAP BusinessObjects Enterprise Intelligence Suite
• SAP BusinessObjects Enterprise Intelligence Platform
• SAP Message Server
• SAP NetWeaver Route of Integration
• SAPUI5
• SAP Commerce
• SAP Dealer Relationship Administration
• SAP NetWeaver AS ABAP and ABAP Platform
• SAP Host Agent
• SAP Commerce Cloud

Serious Severity Vulnerabilities

SAP PowerDesigner (BC-SYB-PD) – CVE-2023-37483

Here is an scary get trusty of entry to sustain watch over vulnerability that allows an unauthenticated attacker to achieve arbitrary queries in opposition to the back-pause database via proxy. The CVSS earn for this vulnerability is given as 9.8 (Serious).

Excessive Severity Vulnerabilities

SAP PowerDesigner (BC-SYB-PD) – CVE-2023-36923

This vulnerability permits an attacker with native get trusty of entry to to space a malicious library that can even also be executed by the applying which finally ends up within the attacker controlling the behavior of the applying. The CVSS earn for this vulnerability is given as 7.8 (Excessive)

SAP Enterprise One (SBO-CRO-SEC) – CVE-2023-39437

Here’s a Adversarial-Web page online scripting (XSS) vulnerability that allows an attacker to inject malicious code on the obtain internet page or the applying and produce it to the client. This affects the Confidentiality, Integrity, and Availability of the applying. The CVSS earn for this vulnerability is given as 7.6 (Excessive).

SAP BusinessObjects Enterprise Intelligence Suite (BI-BIP-INS) – CVE-2023-37490

This vulnerability permits an authenticated attacker all around the community to overwrite an executable file that’s created within the non everlasting record as phase of the installation job resulting within the compromise of the CIA triad. The CVSS earn for this vulnerability is given as 7.6 (Excessive).

SAP BusinessObjects Enterprise Intelligence Platform (BI-BIP-CMC) – CVE-2023-37490

Here’s a Denial of Carrier (DoS) vulnerability on account of the use of a vulnerable Commons FileUpload model in SAP BusinessObjects Enterprise Intelligence Platform (CMC). The CVSS Rating for this vulnerability is given as 7.5 (Excessive) by SAP.

SAP Message Server (BC-CST-MS) – CVE-2023-37491

On definite conditions, the SAP Message server can also also be bypassed which permits an authenticated attacker to enter into the SAP programs community leading to unauthorized read and write of recordsdata. The CVSS earn for this vulnerability is given as 7.5 (Excessive).

SAP Enterprise One (SBO-CRO-SEC) – CVE-2023-33993

This vulnerability can also also be exploited by an authenticated attacker by sending crafted queries over the community to read or modify SQL recordsdata. The CVSS Rating for this vulnerability is given as 7.1 (Excessive)

Medium Severity Vulnerabilities

SAP has released a security advisory that talked about detailed info about these vulnerabilities. Customers of these products are instructed to make stronger to one of the up-to-date versions to patch the vulnerabilities.