Patch/Configuration Management, Vulnerability Management

SAP patches three-year-old vulnerability, plus 20 more flaws

SAP on June 14 patched 21 product vulnerabilities, including an information disclosure flaw that was originally disclosed more than three years ago.

The information disclosure vulnerability existed in SAP's BI (Business Intelligence) Reporting and Planning process. If exploited, the issue could have allowed attackers to uncover system data and debugging information, and leverage this digital intelligence for future attacks.

The 21 total vulnerabilities, four of which were critical, were categorized as follows: five cross-site scripting, five missing authorization, four implementation flaws, two denial of service (DOS), two directory traversals, one code injection, one XML external entity, one information disclosure.

The most critical case was the code injection vulnerability, which was found in SAP Documentation and Translation Tools. The flaw could have allowed bad actors to inject and execute malicious code capable of manipulating data, modifying system output, elevating privileges and even performing DoS attacks.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.