Description
The following problems were identified in the functions in ST-PI:
- 1. Extensive authorizations for the object ‘S_RFC’ allow certain non-RFC-capable function modules to be called using an RFC user.
- 2. It is possible to read files using an RFC access without sufficient authorization checks being carried out.
- 3. Only one insufficient check of the import parameter is carried out for certain form routines for generating includes that are used to call function modules for Service Data Control Center (SDCCN) data download.
These affected functions are used during the download collection in the EarlyWatch Alert, during the central system administration, and in Business Process Monitoring in the Solution Manager.
Available fix and Supported packages
- ST-PI | 2008_1_46C | 2008_1_46C
- ST-PI | 2008_1_620 | 2008_1_620
- ST-PI | 2008_1_640 | 2008_1_640
- ST-PI | 2008_1_700 | 2008_1_700
- ST-PI | 2008_1_710 | 2008_1_710
- ST-PI 2008_1_46C | SAPKITLRA3 |
- ST-PI 2008_1_620 | SAPKITLRB3 |
- ST-PI 2008_1_710 | SAPKITLRE3 |
- ST-PI 2008_1_46C | SAPKITLRA4 |
- ST-PI 2008_1_620 | SAPKITLRB4 |
- ST-PI 2008_1_640 | SAPKITLRC4 |
- ST-PI 2008_1_700 | SAPKITLRD4 |
- ST-PI 2008_1_710 | SAPKITLRE4 |
Affected component
- SV-SMG-SDD
Service Data Download
CVSS
Score: 0
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/1490437