Description
Under certain conditions, it is possible to request the modification of role or privilege assignments through SAP Identity Management REST Interface Version 2, which would otherwise be restricted only for viewing.
Some well-known impacts of this vulnerability are:
- Privilege escalation for the user for connected systems to SAP Identity Management
- Loss of confidentiality and integrity depending on the connected systems to SAP Identity Management
Available fix and Supported packages
- IDMREST | 8.0 | 8.0
- IDMIC | 8.0 | 8.0
- IDENTITY CENTER REST API 8.0 | SP006 | 000009
- IDM 8.0 UIS FOR NW 7.30 | SP006 | 000025
Affected component
- BC-IAM-IDM
Identity Management
CVSS
Score: 8.4
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/2784307
