405/67 Thursday, November 14, 2024
SAP released its July 2024 security update to address 18 vulnerabilities across various products. This update includes fixes for two critical vulnerabilities that could allow attackers unauthorized access to sensitive data and systems. The most severe of these is CVE-2024-39592, affecting the SAP Product Design Cost Estimating (PDCE) tool, with a CVSS score of 7.7. This vulnerability arises from a lack of proper authentication checks, potentially enabling attackers to access general database tables and expose sensitive information.
Another significant vulnerability, CVE-2024-39597, found in SAP Commerce, has a CVSS score of 7.2. This flaw stems from incorrect authentication handling, which could allow attackers to exploit the password reset function to gain unauthorized access to storefront websites. Additionally, the update addresses 15 medium-severity vulnerabilities in various SAP products, including Landscape Management, Document Builder, NetWeaver, CRM, Business Warehouse, S/4HANA, Business Workflow, GUI for Windows, Transportation Management, and Enable Now. These issues include data exposure, unrestricted file uploads, insufficient authentication, XSS, and SSRF vulnerabilities.
Although SAP has not reported any active exploitation of these vulnerabilities, the company strongly advises users to promptly apply the patches. Past incidents have shown that attackers often target known vulnerabilities even after patches have been released. Organizations using SAP products should prioritize installing these patches to safeguard their systems and data from potential risks.