Critical SAP Vulnerability Allows Remote Authentication Bypass 

• The SAP August 2024 security patch bulletin disclosed two high-priority notes.
• One of them could enable an attacker to remotely circumvent authentication and gain full control of the compromised system.
• The exploit leverages REST endpoints and Single Sign-On enterprise authentication.

SAP released 17 new ‘Security Notes’ and eight updated fixes in its August 2024 security patch package, including two HotNews and four high-priority notes - an above-average number for the software maker. The critical flaws concern a missing authentication check and a Server-Side Request Forgery vulnerability.

The first HotNews note concerns a flaw tracked as CVE-2024-41730, addressing a Missing Authentication Check vulnerability in the SAP BusinessObjects Business Intelligence Platform versions 430 and 440, earning a 9.8 CVSS rating.

The second new HotNews note, CVE-2024-29415, is a Server-Side Request Forgery vulnerability in the IP package for Node.js in applications built with SAP Build Apps versions under 4.11.130 and has a 9.1 CVSS rating.

An unauthorized user can exploit the missing authentication check bug by getting a logon token using a REST (Representational State Transfer) endpoint via the enabled Single Sign On (SSO) enterprise authentication. This allows an attacker to fully compromise the targeted system. 

The other new high-rated flaws are 3485284 (CVE-2024-42374), which addresses an XML injection in SAP BEx Web Java Runtime Export Web Service versions BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, and BIWEBAPP 7.5 and 3423268 (CVE-2023-30533), a Prototype Pollution in SAP S/4 HANA (Manage Supply Protection) in SAP S/4 HANA, Library Versions - SheetJS CE older than 0.19.3.

3459935 (CVE-2024-33003) Information Disclosure Vulnerability in SAP Commerce Cloud versions HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, and COM_CLOUD 2211 is another new flaw with high priority.

Among them is also an update: 3460407 (CVE-2024-34688), a Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) version MMR_SERVER 7.5.