July 9, 2024 at 10:21AM
SAP released 16 new and 2 updated security notes for July 2024, addressing high-severity vulnerabilities in PDCE and SAP Commerce. The PDCE bug (CVE-2024-39592) could allow unauthorized data access, while the SAP Commerce issue (CVE-2024-39597) could enable access to improperly configured sites. 15 medium-severity issues in various SAP products were also addressed. Users are advised to update promptly, given the potential for exploitation.
Based on the meeting notes, the key takeaways are:
– SAP released 16 new and two updated security notes as a part of its July 2024 patch day, addressing high-severity vulnerabilities.
– The most severe issue is a missing authorization check in PDCE with a CVE-2024-39592 (CVSS score of 7.7/10), allowing potential attackers to read generic table data.
– Another high-priority note resolves CVE-2024-39597 (CVSS score of 7.2/10), addressing an improper authorization check in SAP Commerce that could provide attackers access to improperly configured sites.
– The remaining security notes describe 15 medium-severity issues in various SAP products.
– The patched vulnerabilities include concerns such as information disclosure, unrestricted file uploads, missing authorization checks, cross-site scripting (XSS), and server-side request forgery (SSRF) bugs.
– While there is no mention of these vulnerabilities being exploited in the wild, users are advised to update their appliances promptly due to known attacker interest in targeting security defects in SAP products.
Let me know if you need any further details or analysis on this topic.