Skip links
RedRays - Your SAP Security Solution
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security on Udemy

CVE-2020-6301 Missing Authorization check in SAP ERP (HCM Travel Management), SAP security note 2949196

Description

UPDATE 13th October 2020: This note has been re-released with updated ‘validity’, and ‘Support Packages & Patches’ information.

SAP ERP’s HCM Travel Management trip accounting allows an authenticated but unauthorized attacker to read, modify and settle trips, resulting in escalation of privileges.

Available fix and Supported packages

  • EA-HRGXX | 600 | 600
  • EA-HRGXX | 602 | 602
  • EA-HRGXX | 603 | 603
  • EA-HRGXX | 604 | 604
  • EA-HRGXX | 605 | 605
  • EA-HRGXX | 606 | 606
  • EA-HRGXX | 607 | 607
  • EA-HRGXX | 608 | 608
  • EA-HRGXX 608 | SAPK-60883INEAHRGXX |
  • EA-HRGXX 605 | SAPK-605D2INEAHRGXX |
  • EA-HRGXX 604 | SAPK-604F5INEAHRGXX |
  • EA-HRGXX 600 | SAPK-600I9INEAHRGXX |
  • EA-HRGXX 602 | SAPK-602G8INEAHRGXX |
  • EA-HRGXX 603 | SAPK-603G3INEAHRGXX |
  • EA-HRGXX 606 | SAPK-606B7INEAHRGXX |
  • EA-HRGXX 607 | SAPK-607A6INEAHRGXX |

Affected component

    FI-TV-COS
    Trip Costs

CVSS

Score: 5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2949196

TAGS

#Access-control
#Authorization-error
#Authorization-profile
#&160-CVE-2020-6301

Explore More

RedRays AI for ABAP Code Security

December 17, 2024

Empowering Secure, Efficient, and Compliant SAP ABAP Development—in Real Time and Without Data Retention In today’s rapidly evolving business landscape, organizations increasingly

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series. 

JOIN