SAP Security Update: Patch for High Severity Vulnerabilities
SAP (Systems, Applications, and Products in Data Processing) is an international company and a leader in corporate software, offering integrated solutions to automate and manage business processes. Founded in Germany in 1972, SAP is now one of the largest producers of corporate software globally.
In July 2024, SAP released a security update addressing 18 product vulnerabilities, including two high-priority flaws that could potentially allow attackers to gain unauthorized access to sensitive data and systems.
The most critical vulnerability in this update is CVE-2024-39592, affecting SAP’s Product Design Cost Estimating (PDCE) tool. With a CVSS score of 7.7, this vulnerability is due to a missing authorization check, allowing attackers to view generic table data and potentially exposing sensitive information.
Another high-priority vulnerability, CVE-2024-39597, affects SAP Commerce, with a CVSS score of 7.2. This improper authorization check could allow attackers to exploit the “forgotten password” functionality and gain access to misconfigured sites without merchant approval.
The July update also includes fixes for 15 medium-severity vulnerabilities affecting various SAP products such as Landscape Management, Document Builder, NetWeaver, CRM, Business Warehouse, S/4HANA, Business Workflow, GUI for Windows, Transportation Management, and Enable Now.
These vulnerabilities include issues such as:
- Information disclosure,
- Unrestricted file upload capability,
- Missing authorization checks,
- Cross-site scripting (XSS),
- Server-side request forgery (SSRF) vulnerabilities.
While SAP has not reported any active exploitation of these vulnerabilities, the company strongly recommends that users apply the patches as soon as possible. Past incidents have shown that attackers often target known SAP vulnerabilities, even after the release of patches. This July update highlights the importance of timely security updates for enterprise software.
Organizations using SAP products should prioritize these updates to mitigate potential risks to their systems and data security.