Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

Missing authorization checks in function modules related to CRM knowledgebases for configurable products, SAP security note 2271018

Description

This SAP note describes new authorization checks in the following RFC function modules for CRM Configuration Knowledgebases:

COM_PME_GET_NEW_IDS

COM_PME_DB_INSERT_STABLE

COM_PME_DB_INSERT_KB_START

COM_PME_DB_INSERT_KB_END

COM_PME_DB_INSERT_CFGKB

COM_PME_DB_INSERT_VTABLE

COM_PME_DB_TRANS_START

COM_PME_DB_TRANS_ROLLBACK

COM_PME_DB_TRANS_COMMIT

CRM_SCE_DB_TRANS_INIT_RFC

Available fix and Supported packages

  • BBPCRM | 700 | 700
  • BBPCRM | 701 | 701
  • BBPCRM | 702 | 702
  • BBPCRM | 712 | 712
  • BBPCRM | 713 | 713
  • BBPCRM | 714 | 714
  • BBPCRM 700 | SAPKU70018 |
  • BBPCRM 701 | SAPKU70115 |
  • BBPCRM 712 | SAPKU71210 |
  • BBPCRM 702 | SAPKU70217 |
  • BBPCRM 714 | SAPK-71402INBBPCRM |
  • BBPCRM 713 | SAPKU71312 |

Affected component

    CRM-BF-CFG
    Product Configuration

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2271018

TAGS

#Authorization
#authorization-check
#PME
#configuration-knowledgebase

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.