SAP has released its September security patches in which 13 vulnerabilities were related to Information Disclosure, Code Injection, Memory Corruption, and much more. The severity for these vulnerabilities ranges between 2.7 (Low) and 10.0 (Critical).
These vulnerabilities existed in multiple SAP products like SAP Business Client, Business Intelligence Platform, SAP NetWeaver, SAP CommonCryptoLib, SAP PowerDesigner, SAP BusinessObjects Suite, SAP S/4HANA, SAPUI5, SAP Quotation Management, and S4CORE.
Critical & High Severity Vulnerabilities
SAP has patched 5 Critical severity vulnerabilities and 2 High severity vulnerabilities among the 13 patched vulnerabilities.
The most critical vulnerability was the Google Chromium browser-based vulnerability due to a vulnerable component that affected SAP Business Client, Versions 6.5, 7.0, and 7.70.
With DoControl, you can keep your SaaS applications and data safe and secure by creating workflows tailored to your needs. It’s an easy and efficient way to identify and manage risks. You can mitigate the risk and exposure of your organization’s SaaS applications in just a few simple steps.
Another critical vulnerability included CVE-2023-40622, which, on certain conditions, allows an unauthenticated threat actor to view sensitive information that can be used to completely compromise the application. This vulnerability had a severity of 9.9 (Critical).
Other critical vulnerabilities included CVE-2022-41272 (Improper Access Control in SAP NetWeaver AS Java – 9.9), CVE-2023-25616 (Code Injection Vulnerability in SAP Business Objects Business Intelligence Platform – 9.9) and CVE-2023-40309 (Missing Authorization Check in SAP CommonCryptoLib – 9.8).
Moving to the two High Severity vulnerabilities, One of them was Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (CVE-2023-42472 – 8.7), and the other was a Memory Corruption vulnerability in SAP CommonCryptoLib (CVE-2023-40308 – 7.5).
Medium Severity Vulnerabilities – 6
There were 6 medium severity vulnerabilities that were patched as part of the September Patch of 2023 by SAP.
The highest severity among the six medium-severity vulnerabilities was the Code Injection vulnerability in SAP PowerDesigner Client (CVE-2023-40621), with a severity score of 6.3.
Subsequently, it was followed by Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer), which affected SAP BusinessObjects Suite (Installer) Versions 420, 430. (CVE-2023-40623 – 6.2).
SAP has published a complete report about their recent patches and their affected products.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.