SecurityWeek reports that three new vulnerabilities impacting SAP software have been addressed as part this month's Security Patch Day.
Most severe of the fixed flaws was a critical improper access control bug in the Business One app, tracked as CVE-2023-31403, which could be leveraged to allow read and write access to the SMB shared folder for anonymous users, according to Onapsis.
"Affected components are Crystal Report (CR) shared folder, Traditional Mobile app (attachment path), RSP (log folder logic), Job Service and BAS (file upload folder)," Onapsis added.
SAP has also issued fixes for medium-severity vulnerabilities in its NetWeaver AS Java Logon, NetWeaver Application Server ABAP, and ABAP Platform instances.
Updated security notes have also been released for a critical missing authorization check bug in CommonCryptoLib, patched in September, which could be leveraged to enable total app compromise, as well as medium-severity flaws affecting Sybase offerings and NetWeaver AS Java. Immediate patching has been recommended.