Hot news note 3719353 patches a critical SQL injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse. The vulnerability arises from insufficient authorization checks for user uploads in a specific ABAP program. The fix included in the note deactivates executable code within the ABAP program, preventing any execution pathway. With the code disabled, the program cannot be invoked or executed by users. Access to authorization object S_GUI with activity 60 can be restricted as a workaround.
Note 3731908 addresses a high-risk missing authorization check in SAP ERP and S/4HANA. The vulnerability can be exploited to overwrite ABAP reports and impact the availability of the reports. Access to the vulnerable programs RGJVCORG and RGJVCORX can be restricted using authorization groups as a workaround.
Missing authorization checks in S/4HANA are also addressed by several lower priority security notes released in April including 3703813, 3715177, 3715097, 3711682, 3530544 and 3716767.
Note 3692004 provides a fix for an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP. The vulnerability can be exploited by attackers to redirect users to web pages through malicious URLs.
Note 3680767 addresses an information disclosure vulnerability in SAP Human Capital Management (HCM) for SAP S/4HANA that could lead to the leakage of sensitive information.
Note 3730639 patches an information disclosure vulnerability in SAP HANA Cockpit and HANA Database Explorer that could lead to the compromise of the mutual SSL/TLS (mTLS) for X.509 Certificates.
Note 3719397 fixes a code injection vulnerability impacting the Web Dynpro runtime in SAP NetWeaver Application Server Java. The vulnerability can be exploited to compromise user sessions and execute arbitrary client-side code.