SB2024111252 - Multiple vulnerabilities in SAP ABAP Platform and SAP NetWeaver AS ABAP

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2024-47593)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an unspecified error in the application when reading. A remote attacker can read certain files from the server.

Note, the vulnerability exploitation is possible only if a Web Dispatcher or some sort of Proxy Server is in use and the file in question was previously opened or downloaded in an application based on SAP GUI for HTML Technology.

2) NULL pointer dereference (CVE-ID: CVE-2024-47586)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the kernel. A remote non-authenticated attacker can send a specially crafted HTTP request to the application and perform a denial of service attack.

Remediation

Install update from vendor's website.

References

• https://me.sap.com/notes/3508947
• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/november-2024.html
• https://me.sap.com/notes/3504390