{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-079.pdf"
    },
    "title": "Critical SAP Authentication Bypass Vulnerability",
    "serial_number": "2024-079",
    "publish_date": "14-08-2024 13:38:09",
    "description": "On August 13, 2024, SAP released a security advisory for a critical authentication bypass vulnerability, CVE-2024-41730, in SAP BusinessObjects Business Intelligence Platform. This flaw allows remote attackers to bypass authentication mechanisms, potentially leading to full system compromise. The vulnerability has a CVSS score of 9.8, highlighting its severity.<br>\n",
    "url_title": "2024-079",
    "content_markdown": "---\ntitle: 'Critical SAP Authentication\u00a0Bypass\u00a0Vulnerability'\nnumber: '2024-079'\nversion: '1.0'\noriginal_date: 'August 13, 2024'\ndate: 'August 14, 2024'\n---\n\n_History:_\n\n* _14/08/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn August 13, 2024, SAP released a security advisory [1] for a critical authentication bypass vulnerability, **CVE-2024-41730**, in SAP BusinessObjects Business Intelligence Platform. This flaw allows remote attackers to bypass authentication mechanisms, potentially leading to full system compromise. The vulnerability has a CVSS score of 9.8, highlighting its severity.\n\n# Technical Details\n\nCVE-2024-41730 is a \"missing authentication check\" vulnerability. If Single Sign-On is enabled for Enterprise authentication, an attacker can exploit a REST endpoint to obtain a logon token and compromise the system entirely, affecting confidentiality, integrity, and availability [1,2].\n\n# Affected Products\n\n- SAP BusinessObjects Business Intelligence Platform version 430\n- SAP BusinessObjects Business Intelligence Platform version 440\n\n# Recommendations\n\nCERT-EU strongly advises applying the security patches provided by SAP immediately to mitigate this critical vulnerability.\n\n# References\n\n[1] <https://support.sap.com/en/my-support/knowledge-base/security-notes-news/august-2024.html>\n\n[2] <https://www.bleepingcomputer.com/news/security/critical-sap-flaw-allows-remote-attackers-to-bypass-authentication/>\n ",
    "content_html": "<p><em>History:</em></p><ul><li><em>14/08/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On August 13, 2024, SAP released a security advisory [1] for a critical authentication bypass vulnerability, <strong>CVE-2024-41730</strong>, in SAP BusinessObjects Business Intelligence Platform. This flaw allows remote attackers to bypass authentication mechanisms, potentially leading to full system compromise. The vulnerability has a CVSS score of 9.8, highlighting its severity.</p><h2 id=\"technical-details\">Technical Details</h2><p>CVE-2024-41730 is a \"missing authentication check\" vulnerability. If Single Sign-On is enabled for Enterprise authentication, an attacker can exploit a REST endpoint to obtain a logon token and compromise the system entirely, affecting confidentiality, integrity, and availability [1,2].</p><h2 id=\"affected-products\">Affected Products</h2><ul><li>SAP BusinessObjects Business Intelligence Platform version 430</li><li>SAP BusinessObjects Business Intelligence Platform version 440</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly advises applying the security patches provided by SAP immediately to mitigate this critical vulnerability.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.sap.com/en/my-support/knowledge-base/security-notes-news/august-2024.html\">https://support.sap.com/en/my-support/knowledge-base/security-notes-news/august-2024.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/critical-sap-flaw-allows-remote-attackers-to-bypass-authentication/\">https://www.bleepingcomputer.com/news/security/critical-sap-flaw-allows-remote-attackers-to-bypass-authentication/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}