SAP has issued a major security update addressing critical authentication bypass and server-side request forgery vulnerabilities, with CVSS scores of 9.8 and 9.1. The company advises all users to install the updates promptly, as these issues impact many customers.
Critical SAP Auth Bypass and SSRF Vulnerabilities
On August 13, 2024, SAP released an update fixing 17 security flaws, including 6 critical ones. Notably, CVE-2024-41730 and CVE-2024-29415, both with CVSS ratings above 9, are particularly concerning due to their potential severe impact if exploited.
CVE-2024-41730 is an authentication bypass vulnerability in SAP Business Intelligence Platform that allows attackers to extract logon tokens, provided Single Sign-On (SSO) is enabled. This vulnerability can lead to data leaks or malware deployment if an attacker gains access to the authentication token.
CVE-2024-29415 is an SSRF flaw where the software misinterprets IP addresses like localhost as globally routable. This allows attackers to make the server connect to arbitrary IP addresses, potentially leading to data leaks and exposure of infrastructure. This flaw likely results from an incomplete fix of CVE-2023-42282.
Critical flaws fixed in SAP’s August 2024 patch
| Vulnerability | Severity Score |
|---|---|
| CVE-2024-41730 | 9.8 |
| CVE-2024-29415 | 9.1 |
| CVE-2024-42374 | 8.2 |
| CVE-2023-30533 | 7.8 |
| CVE-2024-34688 | 7.5 |
| CVE-2024-33003 | 7.4 |
Patch
SAP has released immediate fixes for the vulnerabilities, though they kept them under wraps until a proper solution was ready. With a broad list of affected software and versions, SAP users should check for and install updates promptly. The company has not provided mitigation steps, as the fixes are already available and should be applied directly.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment