SAP closes critical bugs that allow full system compromise

Two vulnerabilities

Of the two key vulnerabilities addressed on patch day, the more severe is a validation flaw (CVE-2024-41730) with a CVSS score of 9.8/10 affecting SAP’s BusinessObjects business intelligence platform, and the other is a server-side application. forgery (SSRF) vulnerability in applications built with SAP Build Apps.

CVE-2024-41730, as described by SAP, stems from a missing authentication check in the SAP BusinessObjects business intelligence platform. “In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled for Enterprise authentication, an unauthorized user can obtain a logon token using a REST endpoint,” the ERP vendor said in a security advisory.

An attacker can fully compromise the system resulting in significant impact on confidentiality, integrity, and availability, SAP added.


Source link