Subj : This critical security flaw is letting SAP users get around authe To : All From : TechnologyDaily Date : Wed Aug 14 2024 16:30:05 This critical security flaw is letting SAP users get around authentication Date: Wed, 14 Aug 2024 15:19:39 +0000 Description: Severe security flaw could allow full SAP account takeover. FULL STORY ====================================================================== SAP has fixed more than a dozen security vulnerabilities, including two critical-severity ones which could have allowed threat actors to take full control over a flawed endpoint . In a security advisory , SAP detailed the missing authentication check vulnerability affecting SAP BusinessObjects Business Intelligence PLatform versions 430, and 440. The bug is tracked as CVE-2024-41730, and carries a severity score of 9.8 (critical). "In SAP BusinessObjects Business Intelligence Platform, if Single Sign On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint," SAP explained in the advisory. "The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability." Server-side request forgeries, and more The second critical vulnerability is a server-side request forgery (SSRF) flaw affecting apps built with SAP Build Apps prior to version 4.11.130. This bug was introduced through a fix for a previous vulnerability, and is tracked as CVE-2024-29415. It carries a severity score of 9.1. The bug was found in the IP package for Node.js, when it analyzes if an IP address is public or not. With octal representation, the package erroneously recognizes 127.0.0.1 as a public and globally routable address. SAP is the worlds largest ERP vendor, with products in use by more than 90% of the Forbes Global 2000 list, so cybercriminals will most likely scan for endpoints that havent applied the patch, looking for a way into the IT networks of some of the worlds most important brands. Besides these two, SAP fixed another four high-severity vulnerabilities, with scores ranging from 7.4 to 8.2. These include an XML injection issue in the SAP BEx Web Java Runtime Export Web Service, a bug in SAP S/4 HANA, one in SAP NetWeaver AS Java, and one in SAP Commerce Cloud. Via Bleeping Computer More from TechRadar Pro SAP's AI Core platform has some worrying security flaws, so patch now Here's a list of the best malware removal tools around today These are the best endpoint security tools right now ====================================================================== Link to news story: https://www.techradar.com/pro/security/this-critical-security-flaw-is-letting- sap-users-get-around-authentication --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .