SAP, SAP Diagnostics Agent ve SAP BusinessObjects Business Intelligence Platform’u etkileyen iki güvenlik açığı için güncelleme yayınladı. Toplamda 24 bilgiledirme yapıldı. Bunlardan 19’u farkı derecede öneme sahip güncellemeler.
En kritik üç zafiyet aşağıdaki gibi:
- CVE-2023-27267: Insufficient input validation and missing authentication issue impacting the OSCommand Bridge of SAP Diagnostics Agent, version 720, enabling an attacker to execute scripts on connected agents and fully compromise the system. (CVSS v3.1 score: 9.0)
- CVE-2023-28765: Information disclosure vulnerability impacting SAP BusinessObjects Business Intelligence Platform (Promotion Management), versions 420 and 430, allowing an attacker with basic privileges to gain access to the lcmbiar file and decrypt it. This would enable the attacker to access the platform’s users’ passwords and take over their accounts to perform additional malicious actions. (CVSS v3.1 score: 9.8)
- CVE-2023-29186: Directory traversal flaw impacting SAP NetWeaver versions 707, 737, 747, and 757, allowing an attacker to upload and overwrite files on the vulnerable SAP server. (CVSS v3.1 score: 8.7)
Güncellemelerin zaman kaybedilmeden yüklenmesi büyük önem taşıyor.
Kaynak: bleepingcomputer.com