SAP Patches High-Severity Vulnerabilities in PDCE, Commerce

Enterprise software maker SAP on Tuesday announced the release of 16 new and two updated security notes as part of its July 2024 patch day, including two notes dealing with high-severity vulnerabilities.

The most severe of the issues is a missing authorization check in PDCE (Product Design Cost Estimating), a lifecycle costing tool. Tracked as CVE-2024-39592 (CVSS score of 7.7/10), the bug could allow an attacker to read generic table data, according to SAP.

The second high-priority note resolves CVE-2024-39597 (CVSS score of 7.2/10), an improper authorization check in SAP Commerce that could provide attackers with access to improperly configured sites.

“An attacker can misuse the forgotten password functionality to gain access to a site for which early login and registration is activated, without requiring the merchant to approve the account beforehand,” according to a separate advisory from application security firm Onapsis.

“If the site is not configured as an isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites,” the company added.

Of the remaining SAP security notes (PDF), 15 are described as medium-severity issues in Landscape Management, Document Builder, NetWeaver, CRM, Business Warehouse, S/4HANA, Business Workflow, GUI for Windows, Transportation Management, and Enable Now.

The patched vulnerabilities include information disclosure issues, unrestricted file uploads, missing authorization checks, cross-site scripting (XSS), and server-side request forgery (SSRF) bugs.

SAP makes no mention of any of these vulnerabilities being exploited in the wild. However, users are advised to update their appliances as soon as possible, as attackers are known to have targeted security defects in SAP products for which patches had been released.

Leave a Reply

Your email address will not be published. Required fields are marked *