Description
Transaction SE16 is a universally applicable function to display any database contents in ABAP systems.
An authorization check against a table authorization group protects the access to this data using this function (authorization object S_TABU_DIS).
If you use transaction SE16 in a certain way, the system may fail to perform this authorization check. This may allow unauthorized access to any sensitive or critical data.
The correction (Support Package or correction instructions) solves this problem.
Risk mitigation before the correction is effective: Limit the access to transaction SE16 (authorization object S_TCODE).
We strongly recommend that customers limit the access to SE16 and implement the correction instruction as soon as possible.
Available fix and Supported packages
- SAP_APPL | 31I | 31I
- SAP_APPL | 40B | 40B
- SAP_APPL | 45B | 45B
- SAP_APPL | 46B | 46B
- SAP_BASIS | 46B | 46D
- SAP_BASIS | 620 | 640
- SAP_BASIS | 700 | 700
- SAP_BASIS | 710 | 711
- SAP_APPL 31I | SAPKH31IB9 |
- SAP_APPL 40B | SAPKH40B89 |
- SAP_APPL 45B | SAPKH45B67 |
- SAP_BASIS 46B | SAPKB46B62 |
- SAP_BASIS 640 | SAPKB64022 |
- SAP_BASIS 620 | SAPKB62064 |
- SAP_BASIS 46C | SAPKB46C56 |
- SAP_BASIS 700 | SAPKB70015 |
- SAP_BASIS 710 | SAPKB71006 |
- SAP_BASIS 711 | SAPKB71101 |
- SAP_BASIS 710 | SAPKB71007 |
Affected component
- BC-SEC
Security – Read KBA 2985997 for subcomponents
CVSS
Score: 0
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/1133739
