Description
In some programs, you can start the editor in change mode, even though the relevant development authorization does not exist (authorization object S_DEVELOP).
However, changes made in the editor are generally not transferred to the current process; the editor call is used only to display dynamically generated ABAP or SQL.
Since you cannot always be sure that the source code that was changed using the editor is executed, the attached corrections ensure that the change authorization is always checked and that only displayed mode is chosen if the user does not have the required authorization.
Available fix and Supported packages
- SAP_BW | 20B | 20B
- SAP_BW | 21C | 21C
- SAP_BW | 30B | 30B
- SAP_BW | 310 | 310
- SAP_BW | 350 | 350
- SAP_BW | 700 | 702
- SAP_BW | 710 | 720
- SAP_BW_VIRTUAL_COMP | 30B | 30B
- SAP_BW_VIRTUAL_COMP | 701 | 701
- SAP_BW 30B | SAPKW30B34 |
- SAP_BW 310 | SAPKW31028 |
- SAP_BW 701 | SAPKW70105 |
- SAP_BW 700 | SAPKW70022 |
- SAP_BW 710 | SAPKW71009 |
- SAP_BW 702 | SAPKW70202 |
- SAP_BW 711 | SAPKW71104 |
- SAP_BW 350 | SAPKW35026 |
- SAP_BW_VIRTUAL_COMP 701 | SAPK-70109INVCBWTECH |
- SAP_BW_VIRTUAL_COMP 30B | SAPK-30B47INVCBWTECH |
Affected component
- BW-BEX-OT-DBIF
Interface to Database
CVSS
Score: 0
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/1357370
