Skip links
RedRays - Your SAP Security Solution
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security on Udemy

Possible disclosure of data in function grp BCA_API_CN_CTRL, SAP security note 1509064

Description

A malicious user can make specific entries in the function modules BCA_API_CHECK_TABLE_VAL_EXISTS, BCA_API_CN_CTRL_CHCKTAB_VAL_EX, BCA_API_CN_CTRL_CHCKTAB_VAL_GE and BCA_CHECK_TABLE_VALUE_EXISTS in the function group BCA_API_CN_CTRL to disclose additional data or to change data saved in the database.

Available fix and Supported packages

  • FSAPPL | 100 | 100
  • FSAPPL | 200 | 200
  • FSAPPL | 300 | 300
  • BANK-TRBK | 30 | 30
  • BANK-TRBK | 40 | 40
  • FSAPPL 100 | SAPKISC214 |
  • FSAPPL 200 | SAPKISC313 |
  • FSAPPL 300 | SAPK-30006INFSAPPL |
  • BANK-TRBK 30 | SAPKISCC12 |
  • BANK-TRBK 40 | SAPKISC109 |

Affected component

    FS-AM-CM-CF
    Contract Framework

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/1509064

TAGS

#SQL-injection
#database
#BCA_API_CHECK_TABLE_VAL_EXISTS
#BCA_API_CN_CTRL_CHCKTAB_VAL_EX
#BCA_API_CN_CTRL_CHCKTAB_VAL_GE
#BCA_CHECK_TABLE_VALUE_EXISTS
#BCA_API_CN_CTRL

More to explorer

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series. 

JOIN