SB2025021262 - Multiple vulnerabilities in SAP Enterprise Project Connection

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2024-38819)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in applications that serve static resources through the functional web frameworks WebMvc.fn or WebFlux.fn. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

2) Security features bypass (CVE-ID: CVE-2024-38820)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to String.toLowerCase() has some Locale dependent exceptions when handling case insensitive patterns in DataBinder. A remote attacker can bypass implemented security restrictions by passing specially crafted data to the application.

3) Input validation error (CVE-ID: CVE-2024-38828)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input  passed via Spring MVC controller method with @RequestBody byte[] parameter. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2025.html</p><p>
• https://me.sap.com/notes/3567172</p>