Description
You can use the RSSCAUTH report to change the authorization group of a program. The program authorization group is used as a parameter of the S_PROGRAM authorization object when you execute a report. It is therefore an essential criterion for determining whether or not a user can execute a report.
However, the RSCSAUTH report is insufficiently protected against uncontrolled execution:
When you start the RSCSAUTH report, the system only checks whether the user has an authorization (that includes the “SAP_ALL” value in the “Authorization group ABAP program” authorization field) for the S_PROGRAM authorization object.
This means that it is frequently possible for a large group of people to execute RSCSAUTH. This is undesirable because of the far-reaching effects that the use of the RSCSAUTH report can have.
Available fix and Supported packages
- SAP_BASIS | 46A | 46D
- SAP_BASIS | 610 | 640
- SAP_BASIS 46C | SAPKB46C47 |
- SAP_BASIS 46B | SAPKB46B56 |
- SAP_BASIS 610 | SAPKB61039 |
- SAP_BASIS 640 | SAPKB64001 |
- SAP_BASIS 620 | SAPKB62037 |
- SAP_BASIS 46D | SAPKB46D36 |
Affected component
- BC-SEC
Security – Read KBA 2985997 for subcomponents
CVSS
Score: 0
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact support@redrays.io for details.
URL
https://launchpad.support.sap.com/#/notes/694148
