Advisory
SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 3490515
was released on
09.07.2024 and deals with
"[CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce" within SAP Commerce.
We advice you to follow the instructions, to resolve
missing authorization check
with a
high potential for exploitation
in component CEC-SCC-COM-BC-CS.
According to SAP Security Advisory team a workaround exists. It is advisable to implement the correction as monthly patch process.
Missing authority checks are still the most common security defect related to authorizations in custom code. Since SAP uses an explicit authorization model, an authority checks must be coded in order to be executed. If an explicit check is not coded, all users have access. This type of vulnerability not only exists in SAP standard it also exists in customer coding. Check your custom developments for vulnerabilities that pose a risk to your systems. SecurityBridge helps detect code vulnerabilities before they are implemented in production.
Risk specification
SAP Commerce unauthenticated attacker to misuse the forgotten password functionality to gain access to a Composable Storefront B2B site, the early login and registration option is activated, without requiring the approve of the admin. If the site was not configured as isolated, the vulnerability effect also other sites that are linked to this non-Isolated site resulting in an missing authorization vulnerability.Solution
The vulnerability is now fixed by not sending password reset emails when a password reset is requested by the user which was not approved beforehand by the admin. Alternativly, the consulting team has proposed the following: "If Early Login is enabled on an isolated Composable Storefront B2B sites, disable Registration on the same site. If Early Login is enabled on one of multiple non-isolated Composable Storefront B2B sites, disable Registration for all non-isolated sites. For details about configuring Early Login and Registration, see Early Login and Registration (https://help.sap.com/docs/SAP_COMMERCE_CLOUD_PUBLIC_CLOUD/7e47d40a176d48ba914b50957d003804/8ac4edc486691014af43e39b142bc29a.html#early-login-and-registration).". The suggestion may be considered, as a workaround or compensating mitigation. We recommend installing/applying the correction wherever possible and as soon as possible. Base your decision on whether or not to apply the patch on your companies and systems risk perspective and consider the provided CVSS 7.2 score.
- 10.0 [CVE-2021-37535] Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service)
- 10.0 [Multiple CVE IDs] Missing Authentication Check in SAP Solution Manager (JAVA stack)
- 9.8 [CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib
- 9.6 [CVE-2023-31403] Improper Access Control vulnerability in SAP Business One product installation
- 9.6 [CVE-2024-33006] File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
