SAP Releases Security Update for BusinessObjects
Successful exploitation could lead to full system compromise
Summary
Successful exploitation could lead to full system compromise
Affected platforms
The following platforms are known to be affected:
Threat details
Proof-of-concept released for CVE-2024-41730
A proof-of-concept has been released for CVE-2024-41730 and NHS England National CSOC now considers exploitation of this vulnerability to be more likely.
Introduction
SAP has released a security update for a missing authentication check vulnerability in BusinessObjects Business Intelligence Platform. The vulnerability, CVE-2024-41730, has a CVSSv3 score of 9.8 and could allow a remote unauthenticated attacker to obtain a logon token using a REST endpoint if Single Sign-On is enabled, potentially leading to full compromise of the system.
Threat updates
| Date | Update |
|---|---|
| 19 Nov 2024 | Public proof-of-concept released. |
| 8 Oct 2024 |
Update to previously released Security Note
On 8 October 2024, SAP Security Patch Day saw the release of 6 new Security Notes. Further, there were 6 updates to previously released Security Notes, including an additional affected version of SAP BusinessObjects Business Intelligence Platform. ENTERPRISE 420 has been added to the previously mentioned ENTERPRISE 430 and ENTERPRISE 440. |
Remediation advice
Affected organisations are encouraged to review the SAP August 2024 Security Notes, SAP October 2024 Security Notes, and apply any relevant updates.
Definitive source of threat updates
Last edited: 19 November 2024 4:03 pm