SAP Product Security Update Advisories (CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, CVE-2023-50423, CVE-2023-50424, CVE-2024-21737, CVE-2024-22125, CVE-2024-21735)

Overview

 

An update has been made available to fix vulnerabilities in SAP products. Users of affected versions are advised to update to the latest version.

 

Affected Products

 

CVE-2023-49583

• SAP BTP Security Services Integration Library @sap/xssec versions earlier than 3.6.0

 

CVE-2023-50422

• SAP BTP Security Services Integration Library cloud-security-services-integration-library before 2.17.0
• SAP BTP Security Services Integration Library cloud-security-services-integration-library versions from 3.0.0 to 3.3.0 and earlier

 

CVE-2023-50423

• SAP BTP Security Services Integration Library sap-xssec versions earlier than 4.1.0

 

CVE-2023-50424

• SAP BTP Security Services Integration Library cloud-security-client-go versions before 0.17.0

 

CVE-2024-21737

• SAP Application Interface Framework File Adapter version 702

 

CVE-2024-22125

• SAP GUI connector for Microsoft Edge 1.0 version

 

CVE-2024-21735

• SAP LT Replication Server S4CORE versions 103, 104, 105, 106, 107, 108

 

Resolved Vulnerabilities

 

Privilege escalation vulnerability in SAP BTP Security Services Integration Library @sap/xssec (CVE-2023-49583)
Privilege escalation vulnerability in SAP BTP Security Services Integration Library cloud-security-services-integration-library (CVE-2023-50422)
Privilege Escalation Vulnerability in SAP BTP Security Services Integration Library sap-xssec (CVE-2023-50423)
Elevation of privilege vulnerability in SAP BTP Security Services Integration Library cloud-security-client-go (CVE-2023-50424)
Privilege escalation vulnerability in SAP Application Interface Framework File Adapter (CVE-2024-21737)
Sensitive information access vulnerability in SAP GUI connector for Microsoft Edge (CVE-2024-22125)
Privilege escalation vulnerability in SAP LT Replication Server S4CORE (CVE-2024-21735)

 

Vulnerability Patches

 

Vulnerability patches were made available in the January 9, 2024 update. Please follow the instructions on the reference site to update to the latest vulnerability patch version.

CVE-2023-49583

• SAP BTP Security Services Integration Library @sap/xssec 3.6.0 version

 

CVE-2023-50422

• SAP BTP Security Services Integration Library cloud-security-services-integration-library 2.17.0 and later versions to 3.0.0 and earlier versions
• SAP BTP Security Services Integration Library cloud-security-services-integration-library 3.3.0 and later versions

 

CVE-2023-50423

• SAP BTP Security Services Integration Library sap-xssec version 4.1.0 or later

 

CVE-2023-50424

• SAP BTP Security Services Integration Library cloud-security-client-go version 0.17.0

 

CVE-2024-21737

• SAP Application Interface Framework File Adapter versions other than 702

 

CVE-2024-22125

• Versions other than SAP GUI connector for Microsoft Edge 1.0

 

CVE-2024-21735

• SAP LT Replication Server S4CORE versions other than 103, 104, 105, 106, 107, 108

 

Referenced Sites

 

[1] SAP Security Patch Day -January2024
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10
[2] CVE-2023-49583
https://www.cve.org/CVERecord?id=CVE-2023-49583
[3] CVE-2023-49583 Detail
https://nvd.nist.gov/vuln/detail/CVE-2023-49583#range-10207563
[4] CVE-2023-50422
https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73
[5] CVE-2023-50422 Detail
https://nvd.nist.gov/vuln/detail/CVE-2023-50422
[6] CVE-2023-50423
https://github.com/SAP/cloud-pysec/security/advisories/GHSA-6mjg-37cp-42×5
[7] CVE-2023-50423 Detail
https://nvd.nist.gov/vuln/detail/CVE-2023-50423
[8] CVE-2023-50424
https://github.com/SAP/cloud-security-client-go/security/advisories/GHSA-m8rw-rcpq-2vp2
[9] CVE-2023-50424 Detail
https://nvd.nist.gov/vuln/detail/CVE-2023-50424
[10] CVE-2024-21737 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-21737#match-10211840
[11] Under certain conditions the Microsoft Edge browser…
https://github.com/advisories/GHSA-8hc8-mhjh-c5rj
[12] CVE-2024-22125 Detail
under certain conditions the Microsoft Edge browser… Https://nvd.nist.gov/vuln/detail/CVE-2024-22125
[13] CVE-2024-21735 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-21735
[14] SAP LT Replication Server – version S4CORE 103, S4CORE…
https://github.com/advisories/GHSA-hwv9-7vf2-6394