Authorization object C_APO_CVC (introduced by note 1235367) is used to limit rights for CVC maintenance.
A user has authorization to create CVCs for a POS A, but not for POS B.
On the first screen of /SAPAPO/MC62 the user enters POS A, then on the next screen, using the get variant button, selects a variant for POS B; authorization is not checked again, so the user is able to create CVCs for POS B.
Available fix and Supported packages
- SCM | 410 | 410
- SCM | 500 | 500
- SCM | 510 | 510
- SCM | 700 | 700
- SCM 700 | SAPKY70003 |
- SCM 510 | SAPKY51010 |
- SCM 410 | SAPKY41020 |
- SCM 500 | SAPKY50017 |
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.