SAP has released patches for 16 vulnerabilities with Critical, High, Medium, and Low severities. The CVSS scores for these vulnerabilities are between 3.7 (Low) to 9.8 (Critical) which contributes to 1 Critical, 6 High, 7 Medium, and 1 Low severity vulnerability. One of the vulnerability CVSS scores is yet to be confirmed.
SAP released these patches every month on their patch day. 14 Vulnerabilities were patched as mentioned in their last patch in July. Most of the vulnerabilities this month are related to products like;
SAP PowerDesigner
SAP Business One
SAP BusinessObjects Business Intelligence Suite
SAP BusinessObjects Business Intelligence Platform
This is an improper access control vulnerability that allows an unauthenticated attacker to execute arbitrary queries against the back-end database via proxy. The CVSS score for this vulnerability is given as 9.8 (Critical).
This vulnerability allows an attacker with local access to place a malicious library that can be executed by the application which results in the attacker controlling the behavior of the application. The CVSS score for this vulnerability is given as 7.8 (High)
This is a Cross-Site scripting (XSS) vulnerability that allows an attacker to inject malicious code on the web page or the application and deliver it to the client. This affects the Confidentiality, Integrity, and Availability of the application. The CVSS score for this vulnerability is given as 7.6 (High).
SAP BusinessObjects Business Intelligence Suite (BI-BIP-INS) – CVE-2023-37490
This vulnerability allows an authenticated attacker within the network to overwrite an executable file that is created in the temporary directory as part of the installation process leading to the compromise of the CIA triad. The CVSS score for this vulnerability is given as 7.6 (High).
SAP BusinessObjects Business Intelligence Platform (BI-BIP-CMC) – CVE-2023-37490
This is a Denial of Service (DoS) vulnerability due to the use of a vulnerable Commons FileUpload version in SAP BusinessObjects Business Intelligence Platform (CMC). The CVSS Score for this vulnerability is given as 7.5 (High) by SAP.
On certain conditions, the SAP Message server can be bypassed which enables an authenticated attacker to enter into the SAP systems network resulting in unauthorized read and write of data. The CVSS score for this vulnerability is given as 7.5 (High).
This vulnerability can be exploited by an authenticated attacker by sending crafted queries over the network to read or modify SQL data. The CVSS Score for this vulnerability is given as 7.1 (High)
Information Disclosure Vulnerability in SAP Supplier Relationship Management.
4.4
SAP has released a security advisory that mentioned detailed information about these vulnerabilities. Users of these products are recommended to upgrade to the latest versions to patch the vulnerabilities.