Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

Missing Authorization check in SAP EHS (task related applications), SAP security note 2738065

Description

The Manage Task Definition, Manage Change Request Task and Manage Maintenance Notification Task applications, do not carry out the necessary authorization checks for user authentication. This results in unauthorized access to actions in the system.

Some well-known impacts of the missing authorization check are the following:

  • Malicious use of authorizations and functionality restricted to a particular user group.
  • Read, modify, or delete restricted data

Available fix and Supported packages

  • S4CORE | 103 | 103
  • | SAPK-S4CLOUD_1905 |
  • S4CORE 103 | SAPK-10302INS4CORE |

Affected component

    EHS-SUS-FND
    Sustainability Foundation

CVSS

Score: 5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2738065

TAGS

#Access-Control
#Authorization-Error
#Authorization-Profile
#Restrictions
#Unauthorized-Use-of-Functionality

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.