Security News > 2023 > April > SAP releases security updates for two critical-severity flaws

SAP releases security updates for two critical-severity flaws
2023-04-11 20:54

Enterprise software vendor SAP has released its April 2023 security updates for several of its products, which includes fixes for two critical-severity vulnerabilities that impact the SAP Diagnostics Agent and the SAP BusinessObjects Business Intelligence Platform.

In total, SAP has released 24 notes, 19 of which concern new issues of varying importance, and five are updates to previous bulletins.

CVE-2023-29186: Directory traversal flaw impacting SAP NetWeaver versions 707, 737, 747, and 757, allowing an attacker to upload and overwrite files on the vulnerable SAP server.

The remaining 11 security flaws disclosed in SAP's latest security bulletin concern low to medium-severity vulnerabilities.

In February 2022, the US Cybersecurity and Infrastructure Security Agency urged admins to patch a set of severe vulnerabilities impacting SAP business apps to prevent data theft, ransomware attacks, and disruption of mission-critical processes and operations.

In April 2021, threat actors were observed attacking fixed flaws in unpatched SAP systems to gain access to corporate networks.


News URL

https://www.bleepingcomputer.com/news/security/sap-releases-security-updates-for-two-critical-severity-flaws/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-04-11 CVE-2023-29186 Path Traversal vulnerability in SAP Netweaver
In SAP NetWeaver (BI CONT ADDON) - versions 707, 737, 747, 757, an attacker can exploit a directory traversal flaw in a report to upload and overwrite files on the SAP server.
network
low complexity
sap CWE-22
6.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
SAP 329 25 680 386 113 1204