SAP has fixed more than a dozen security vulnerabilities, including two critical-severity ones which could have allowed threat actors to take full control over a flawed endpoint.
In a security advisory, SAP detailed the “missing authentication check” vulnerability affecting SAP BusinessObjects Business Intelligence PLatform versions 430, and 440. The bug is tracked as CVE-2024-41730, and carries a severity score of 9.8 (critical).
“In SAP BusinessObjects Business Intelligence Platform, if Single Sign On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint,” SAP explained in the advisory. “The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability.”
Server-side request forgeries, and more
The second critical vulnerability is a server-side request forgery (SSRF) flaw affecting apps built with SAP Build Apps prior to version 4.11.130. This bug was introduced through a fix for a previous vulnerability, and is tracked as CVE-2024-29415. It carries a severity score of 9.1. The bug was found in the ‘IP’ package for Node.js, when it analyzes if an IP address is public or not. With octal representation, the package erroneously recognizes ‘127.0.0.1’ as a public and globally routable address.
SAP is the world’s largest ERP vendor, with products in use by more than 90% of the Forbes Global 2000 list, so cybercriminals will most likely scan for endpoints that haven’t applied the patch, looking for a way into the IT networks of some of the world’s most important brands.
Besides these two, SAP fixed another four high-severity vulnerabilities, with scores ranging from 7.4 to 8.2. These include an XML injection issue in the SAP BEx Web Java Runtime Export Web Service, a bug in SAP S/4 HANA, one in SAP NetWeaver AS Java, and one in SAP Commerce Cloud.
