Security News > 2023 > March > SAP releases security updates fixing five critical vulnerabilities
Software vendor SAP has released security updates for 19 vulnerabilities, five rated as critical, meaning that administrators should apply them as soon as possible to mitigate the associated risks.
The flaws fixed this month impact many products, but the critical severity bugs affect SAP Business Objects Business Intelligence Platform and SAP NetWeaver.
CVE-2023-23857: Critical severity information disclosure, data manipulation, and DoS flaw impacting SAP NetWeaver AS for Java, version 7.50.
The bug allows an unauthenticated attacker to perform unauthorized operations by attaching to an open interface and accessing services via the directory API. CVE-2023-27269: Critical severity directory traversal problem impacting SAP NetWeaver Application Server for ABAP. The flaw allows a non-admin user to overwrite system files.
CVE-2023-27500: Critical severity directory traversal in SAP NetWeaver AS for ABAP. An attacker can exploit the flaw in SAPRSBRO to overwrite system files, causing damage to the vulnerable endpoint.
In February 2022, the US Cybersecurity and Infrastructure Security Agency urged admins to patch a set of severe vulnerabilities impacting SAP business apps to prevent data theft, ransomware attacks, and disruption of mission-critical processes and operations.
News URL
Related news
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- MFA bypass becomes a critical security issue as ransomware tactics advance (source)
- HPE patches three critical security holes in Aruba PAPI (source)
- Two simple give-me-control security bugs found in Optigo network switches used in critical manufacturing (source)
- Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited (source)
- Researchers Uncover Major Security Vulnerabilities in Industrial MMS Protocol Libraries (source)
- CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches (source)
- The Rise of Zero-Day Vulnerabilities: Why Traditional Security Solutions Fall Short (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-14 | CVE-2023-27500 | Path Traversal vulnerability in SAP Netweaver Application Server Abap An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files. | 8.1 |
| 2023-03-14 | CVE-2023-27269 | Path Traversal vulnerability in SAP Netweaver Application Server Abap SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in an available service to overwrite the system files. | 9.6 |
| 2023-03-14 | CVE-2023-23857 | Improper Authentication vulnerability in SAP Netweaver Application Server for Java 7.50 Due to missing authentication check, SAP NetWeaver AS for Java - version 7.50, allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and services across systems. | 8.6 |