SAP Security Update August

SAP has released patches for 16 vulnerabilities with Critical, High, Medium, and Low severities. The CVSS scores for these vulnerabilities are between 3.7 (Low) to 9.8 (Critical) which contributes to 1 Critical, 6 High, 7 Medium, and 1 Low severity vulnerability. One of the vulnerability CVSS scores is yet to be confirmed.

SAP released these patches every month on their patch day. 14 Vulnerabilities were patched as mentioned in their last patch in July. Most of the vulnerabilities this month are related to products like;

  • SAP PowerDesigner
  • SAP Business One
  • SAP BusinessObjects Business Intelligence Suite
  • SAP BusinessObjects Business Intelligence Platform
  • SAP Message Server
  • SAP NetWeaver Process Integration
  • SAPUI5
  • SAP Commerce
  • SAP Supplier Relationship Management
  • SAP NetWeaver AS ABAP and ABAP Platform
  • SAP Host Agent
  • SAP Commerce Cloud 

Critical Severity Vulnerabilities

SAP PowerDesigner (BC-SYB-PD) – CVE-2023-37483

This is an improper access control vulnerability that allows an unauthenticated attacker to execute arbitrary queries against the back-end database via proxy. The CVSS score for this vulnerability is given as 9.8 (Critical).

High Severity Vulnerabilities

SAP PowerDesigner (BC-SYB-PD) – CVE-2023-36923

This vulnerability allows an attacker with local access to place a malicious library that can be executed by the application which results in the attacker controlling the behavior of the application. The CVSS score for this vulnerability is given as 7.8 (High)

SAP Business One (SBO-CRO-SEC) – CVE-2023-39437

This is a Cross-Site scripting (XSS) vulnerability that allows an attacker to inject malicious code on the web page or the application and deliver it to the client. This affects the Confidentiality, Integrity, and Availability of the application. The CVSS score for this vulnerability is given as 7.6 (High).

SAP BusinessObjects Business Intelligence Suite (BI-BIP-INS) – CVE-2023-37490

This vulnerability allows an authenticated attacker within the network to overwrite an executable file that is created in the temporary directory as part of the installation process leading to the compromise of the CIA triad. The CVSS score for this vulnerability is given as 7.6 (High). 

SAP BusinessObjects Business Intelligence Platform (BI-BIP-CMC) – CVE-2023-37490

This is a Denial of Service (DoS) vulnerability due to the use of a vulnerable Commons FileUpload version in SAP BusinessObjects Business Intelligence Platform (CMC). The CVSS Score for this vulnerability is given as 7.5 (High) by SAP.

SAP Message Server (BC-CST-MS) – CVE-2023-37491

On certain conditions, the SAP Message server can be bypassed which enables an authenticated attacker to enter into the SAP systems network resulting in unauthorized read and write of data. The CVSS score for this vulnerability is given as 7.5 (High).

SAP Business One (SBO-CRO-SEC) – CVE-2023-33993

This vulnerability can be exploited by an authenticated attacker by sending crafted queries over the network to read or modify SQL data. The CVSS Score for this vulnerability is given as 7.1 (High)

Medium Severity Vulnerabilities

Vulnerable ProductCVE IDDescriptionSeverity
SAP NetWeaver Process Integration (BC-XI-IBF-WU)CVE-2023-37488Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Process Integration.6.1
SAPUI5 (CA-UI5-COR)CVE-2023-37484Cross-Site Scripting (XSS) vulnerabilities in the jQuery-UI library bundled with SAPUI5.6.1
SAP Commerce (CEC-SCC-COM-BC-OCC)CVE-2023-37486Information Disclosure vulnerability in SAP Commerce (OCC API).5.9
SAP Supplier Relationship Management (SRM-EBP-ADM-XBP)CVE-2023-39436Information Disclosure vulnerability in SAP Supplier Relationship Management.5.8
SAP Business One (SBO-CRO-SEC)CVE-2023-37487Security Misconfiguration vulnerability in SAP Business One (Service Layer).5.3
SAP NetWeaver AS ABAP and ABAP Platform (BC-CCM-CNF-PFL)CVE-2023-37492Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform.4.9
SAP BusinessObjects Business Intelligence Platform (BI-RA-WBI)CVE-2023-39440Information Disclosure Vulnerability in SAP Supplier Relationship Management.4.4


SAP has released a security advisory that mentioned detailed information about these vulnerabilities. Users of these products are recommended to upgrade to the latest versions to patch the vulnerabilities. 

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.