Two new and one updated security notes are rated ‘hot news’, the highest severity in SAP’s playbook, addressing critical flaws in Business Client, CX Commerce, and NetWeaver Application Server ABAP and ABAP Platform.
SAP also patched CVE-2022-36364 (CVSS score of 8.8), a remote code execution flaw in the Apache Calcite Avatica library, which exists because the library’s JDBC driver does not perform sufficient checks for expected interfaces before instantiating HTTP client instances.
The second new hot news note released on SAP’s May 2024 Security Patch Day resolves CVE-2024-33006 (CVSS score of 9.6), a file upload bug in NetWeaver that exists because a signature check for two content repositories is missing.