Skip links

Missing authorization check in transaction SUB%, SAP security note 842915

Description

Any transactions can be started from transaction SUB% without the relevant transaction start authorization for each transaction being checked against S_TCODE.

Reports can also be started with transaction SUB%. However, an authorization check is always performed against S_PROGRAM for these reports, provided that the report in question is assigned to an authorization group.

Available fix and Supported packages

  • SAP_APPL | 40A | 40B
  • SAP_APPL | 45A | 45B
  • SAP_BASIS | 46A | 46D
  • SAP_BASIS | 610 | 640
  • SAP_BASIS | 700 | 700
  • SAP_APPL 40B | SAPKH40B86 |
  • SAP_APPL 45B | SAPKH45B64 |
  • SAP_BASIS 46B | SAPKB46B59 |
  • SAP_BASIS 46C | SAPKB46C51 |
  • SAP_BASIS 640 | SAPKB64013 |
  • SAP_BASIS 700 | SAPKB70002 |
  • SAP_BASIS 46D | SAPKB46D41 |
  • SAP_BASIS 620 | SAPKB62052 |
  • SAP_BASIS 610 | SAPKB61044 |

Affected component

    BC-ABA-LA
    Syntax, Compiler, Runtime

CVSS

Score: 0

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/842915

TAGS

#Report-SAPMSSYS
#missing-authorization-check
#authorization-object-S_TCODE
#SAP-shortcuts

How to detect over 4100 vulnerabilities in SAP Systems?

More to explorer

Initiating SAP Penetration Testing

►   Pentest, short for penetration testing, refers to a set of processes that simulate an attacker’s actions to identify security vulnerabilities. Companies