SAP has released security updates for April 2023, addressing a total of 24 notes, 19 of which are new vulnerabilities. The two most severe flaws are CVE-2023-27267 and CVE-2023-28765. The first affects SAP Diagnostics Agent, allowing attackers to execute scripts and potentially compromise the system.
The second affects SAP BusinessObjects Business Intelligence Platform, giving attackers access to user passwords and compromising the application.
Furthermore, CVE-2023-27267 is a missing authentication and insufficient input validation issue in the OSCommand Bridge of SAP Diagnostics Agent, version 720. This flaw can be exploited to execute scripts on connected Diagnostics Agents, potentially leading to full compromise of the system.
At the same time, CVE-2023-28765 affects SAP BusinessObjects Business Intelligence Platform (Promotion Management) – versions 420, 430. An attacker with basic privileges can exploit the vulnerability to access lcmbiar file and decrypt it.
Once the attacker has access to the BI user’s passwords, depending on the user’s privileges, they can perform operations that compromise the application.
Additionally, SAP administrators are advised to apply the available security patches as soon as possible to mitigate the risks associated with these vulnerabilities.
The complete list of the notes can be found in the latest security bulletin. By addressing the security issues, SAP ensures its customers’ systems are secure and helps prevent cybercriminals from exploiting vulnerabilities.
