SAP Security Notes, March 2025
Note 3563927 addresses a high-risk missing authorization check in SAP NetWeaver Application Server ABAP (AS ABAP) that could lead to an escalation of privileges. The correction included in the note restricts the ability to execute development functions using transaction SA38 from the ABAP Class Builder. SA38 enables program execution in AS ABAP. Authorization object S_PROGRAM is used to restrict access to programs executed using the transaction. The restriction is based on authorization groups. Therefore, programs must be assigned to authorization groups in order to apply restrictions. The Class Builder is used to create, maintain and test classes for ABAP objects, attributes and methods.
Note 3569602 patches a Cross-Site Scripting (XSS) vulnerability in SAP Commerce. The vulnerability arises from insufficient input validation in an open-source library included in SAP Commerce. The note includes a workaround that details steps for removing the use of the vulnerable component or blocking access to the component using network or host firewalls.
Vulnerabilities in open-source components also impact SAP Commerce Cloud. The vulnerabilities are addressed in note 3566851. SAP Commerce Cloud uses a version of Apache Tomcat that is vulnerable to Denial of Service (CVE-2024-38286) and unchecked error conditions (CVE-2024-52316).
Note 3567974 deals with an authentication bypass vulnerability that could be exploited using code injection in SAP Approuter. All SAP Approuter deployments in BTP are affected. SAP recommends updating deployments to version 16.7.2 or higher.
Note 3483344 was updated for components supporting PDCE in S/4HANA that are vulnerable to a missing authentication check. The components include S4CORE, S4COREOP and SEM-BW.