SAP has provided security fixes for 19 vulnerabilities, five of which are classified as serious, necessitating immediate application by administrators to reduce risks.

Many products were affected by the issues that were resolved this month, but SAP Business Objects Business Intelligence Platform (CMC) and SAP NetWeaver were the two most severely affected.

• The SAP Business Intelligence Platform has a critical severity (CVSS v3: 9.9) code injection vulnerability that allows an attacker to access resources that are only accessible to privileged users. Versions 420 and 430 are affected by the bug.
• SAP NetWeaver AS for Java, version 7.50, is affected by the CVE-2023-23857 critical severity (CVSS v3: 9.8) information exposure, data modification, and DoS weakness. By attaching to an open interface and gaining access to services via the directory API, the flaw enables an unauthenticated attacker to carry out unwanted actions.
• Directory traversal issue with critical severity (CVSS v3: 9.6) affecting SAP NetWeaver Application Server for ABAP is CVE-2023-27269. A non-admin user can overwrite system files due to a bug. Versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756 and 791 are affected.
• Directory traversal with a critical severity (CVSS v3: 9.6) in SAP NetWeaver AS for ABAP is CVE-2023-27500. By utilising the SAPRSBRO bug to overwrite system files, an attacker can harm the susceptible endpoint. version 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, and 757 are affected.
• CVE-2023-25617: Command execution vulnerability in SAP Business Objects Business Intelligence Platform, versions 420 and 430, with Critical severity (CVSS v3: 9.0). Under specific circumstances, the issue enables a remote attacker to use the BI Launchpad, Central Management Console, or a customised application built using the open-source Java SDK to execute arbitrary instructions on the System.

In addition to the aforementioned issues, SAP's monthly security patch repaired ten medium-severity vulnerabilities and four high-severity problems.

Source: https://www.bleepingcomputer.com/news/security/sap-releases-security-updates-fixing-five-critical-vulnerabilities/