Security News > 2023 > March > SAP releases security updates fixing five critical vulnerabilities

SAP releases security updates fixing five critical vulnerabilities
2023-03-14 21:08

Software vendor SAP has released security updates for 19 vulnerabilities, five rated as critical, meaning that administrators should apply them as soon as possible to mitigate the associated risks.

The flaws fixed this month impact many products, but the critical severity bugs affect SAP Business Objects Business Intelligence Platform and SAP NetWeaver.

CVE-2023-23857: Critical severity information disclosure, data manipulation, and DoS flaw impacting SAP NetWeaver AS for Java, version 7.50.

The bug allows an unauthenticated attacker to perform unauthorized operations by attaching to an open interface and accessing services via the directory API. CVE-2023-27269: Critical severity directory traversal problem impacting SAP NetWeaver Application Server for ABAP. The flaw allows a non-admin user to overwrite system files.

CVE-2023-27500: Critical severity directory traversal in SAP NetWeaver AS for ABAP. An attacker can exploit the flaw in SAPRSBRO to overwrite system files, causing damage to the vulnerable endpoint.

In February 2022, the US Cybersecurity and Infrastructure Security Agency urged admins to patch a set of severe vulnerabilities impacting SAP business apps to prevent data theft, ransomware attacks, and disruption of mission-critical processes and operations.


News URL

https://www.bleepingcomputer.com/news/security/sap-releases-security-updates-fixing-five-critical-vulnerabilities/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-03-14 CVE-2023-27500 Path Traversal vulnerability in SAP Netweaver Application Server Abap
An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files.
network
low complexity
sap CWE-22
8.1
2023-03-14 CVE-2023-27269 Path Traversal vulnerability in SAP Netweaver Application Server Abap
SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in an available service to overwrite the system files.
network
low complexity
sap CWE-22
critical
9.6
2023-03-14 CVE-2023-23857 Improper Authentication vulnerability in SAP Netweaver Application Server for Java 7.50
Due to missing authentication check, SAP NetWeaver AS for Java - version 7.50, allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and services across systems.
network
low complexity
sap CWE-287
8.6

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
SAP 329 25 680 386 113 1204