A total of 10 Security in SAP was patched

According to securityweek on March 14th, SAP released this week a set of security patches in March to address different levels of vulnerabilities in products, including some that have existed for more than a decade of security flaws.

Of the 27 security announcements issued by SAP, 6 have high priority, 19 have been rated medium priority, and 4 of them are updates of previously released security instructions.

The most common types of vulnerabilities handled this month were the lack of authorization checks (6), followed by information disclosure (5), cross-site scripting (4). In addition, SAP also resolved three SQL injection errors, two directory traversal problems, two implementation vulnerabilities, and deficiencies such as denial of service, hard-coded certificates, XML external entities, code injection, and click hijacking errors.

SAP’s strongest security note this month addresses three vulnerabilities with high priority ratings in the SAP Network Graphics Server (IGS) (CVSS Base Score: 8.8), which includes: CVE-2004-1308 (memory corruption), CVE- 2005-2974 (Denial of Service) and CVE-2005-3350 (Remote Code Execution). These vulnerabilities have existed for more than a decade, affecting third-party open source libraries such as libtiff, giflib, and libpng that process images (TIFF, GIF, and PNG, respectively).

Not only that, SAP also handled two high-risk disclosure vulnerabilities, namely SAP HANA capture and replay tracking files (CVE-2018-2402 – CVSS basic score: 7.6), SAP Business Process Automation (BPA) (CVE) – 20182400 – CVSS base rating: 7.5) vulnerabilities.

Source: securityweek