RedRays SAP Security Team

June 7, 2016
12:00 am

Missing Authorization check in SD-MD-CH, SAP security note 2316249

Description

SD-MD-CH does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Some well-known impacts of Missing Authorization check are –

abuse functionality restricted to a particular user group
read, modify or delete restricted data

Available fix and Supported packages

SAP_APPL | 600 | 600
SAP_APPL | 602 | 602
SAP_APPL | 603 | 603
SAP_APPL | 604 | 604
SAP_APPL | 605 | 605
SAP_APPL | 606 | 606
SAP_APPL | 616 | 616
SAP_APPL | 617 | 617
SAP_APPL | 618 | 618
S4CORE | 100 | 100
SAP_APPL 616 | SAPKH61610 |
SAP_APPL 617 | SAPKH61712 |
SAP_APPL 600 | SAPKH60029 |
SAP_APPL 618 | SAPK-61803INSAPAPPL |
SAP_APPL 602 | SAPKH60219 |
SAP_APPL 603 | SAPKH60318 |
SAP_APPL 604 | SAPKH60419 |
SAP_APPL 605 | SAPKH60516 |
SAP_APPL 606 | SAPKH60618 |
| SAPK-S4CLOUD_1608 |
S4CORE 100 | SAPK-10003INS4CORE |

Affected component

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2316249

TAGS

#Access-control
#Authorization-error
#Authorization-profile

Udemy SAP Security Course.

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series. This course will help you master SAP security fundamentals, from securing SAP environments to managing user access and addressing vulnerabilities. It is ideal for IT professionals and SAP administrators, providing practical skills to safeguard critical business assets. Whether you’re a beginner or an expert looking to deepen your SAP security knowledge, this course is perfect for you.

RedRays SAP Security Team

Missing Authorization check in SD-MD-CH, SAP security note 2316249

Description

Available fix and Supported packages

Affected component

CVSS

PoC

URL

TAGS

#Access-control
#Authorization-error
#Authorization-profile

Udemy SAP Security Course.

More to explorer

[PoC] SAP Note 3433192 – Code Injection vulnerability in SAP NetWeaver AS Java

CVE-2024-37180 – Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform

CVE-2024-47594 – Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver Enterprise Portal (KMC)

SAP Security Patch Day – October 2024

RedRays SAP Security Team

Missing Authorization check in SD-MD-CH, SAP security note 2316249

Description

Available fix and Supported packages

Affected component

CVSS

PoC

URL

TAGS

#Access-control#Authorization-error#Authorization-profile

Udemy SAP Security Course.

More to explorer

[PoC] SAP Note 3433192 – Code Injection vulnerability in SAP NetWeaver AS Java

CVE-2024-37180 – Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform

CVE-2024-47594 – Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver Enterprise Portal (KMC)

SAP Security Patch Day – October 2024

Special offer for SAP Security Udemy course!

$ 9.99

#Access-control
#Authorization-error
#Authorization-profile