Security News > 2023 > April > SAP releases security updates for two critical-severity flaws
Enterprise software vendor SAP has released its April 2023 security updates for several of its products, which includes fixes for two critical-severity vulnerabilities that impact the SAP Diagnostics Agent and the SAP BusinessObjects Business Intelligence Platform.
In total, SAP has released 24 notes, 19 of which concern new issues of varying importance, and five are updates to previous bulletins.
CVE-2023-29186: Directory traversal flaw impacting SAP NetWeaver versions 707, 737, 747, and 757, allowing an attacker to upload and overwrite files on the vulnerable SAP server.
The remaining 11 security flaws disclosed in SAP's latest security bulletin concern low to medium-severity vulnerabilities.
In February 2022, the US Cybersecurity and Infrastructure Security Agency urged admins to patch a set of severe vulnerabilities impacting SAP business apps to prevent data theft, ransomware attacks, and disruption of mission-critical processes and operations.
In April 2021, threat actors were observed attacking fixed flaws in unpatched SAP systems to gain access to corporate networks.
News URL
Related news
- Two simple give-me-control security bugs found in Optigo network switches used in critical manufacturing (source)
- CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches (source)
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- Major security audit of critical FreeBSD components now available (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-04-11 | CVE-2023-29186 | Path Traversal vulnerability in SAP Netweaver In SAP NetWeaver (BI CONT ADDON) - versions 707, 737, 747, 757, an attacker can exploit a directory traversal flaw in a report to upload and overwrite files on the SAP server. | 6.5 |