SAP has issued a series of security patches in its March 2024 Security Patch Day, highlighting critical vulnerabilities in several business-facing products. Among the most severe issues are command injection vulnerabilities affecting the Chromium browser in Business Client, Build Apps, and NetWeaver AS Java. These vulnerabilities could allow attackers to execute unauthorized commands, posing significant risks to system integrity and confidentiality.
One of the critical vulnerabilities, CVE-2019-10744, affects the lodash utility library in Build Apps, enabling attackers to run unauthorized commands on the system. Another critical flaw, CVE-2024-22127, discovered in the Administrator Log Viewer plugin of NetWeaver AS Java, permits code injection through the upload of arbitrary files. These vulnerabilities could lead to high-impact attacks, compromising the availability, integrity, and confidentiality of the application.
SAP urges users to apply the necessary patches promptly to mitigate these risks. Although there is no evidence of active exploitation in the wild, the severity of these vulnerabilities underscores the importance of proactive security measures in safeguarding enterprise systems against potential threats.
Reference:
