Description
UPDATE 17th November 2020: This note has been re-released with updated ‘Support Packages & Patches’ information. For the release S4CORE 104, we added the support package SP00.
SAP AS ABAP and SAP S/4 HANA allows an authenticated attacker to inject arbitrary code in the application and change the course of execution. Due to lack of input validation, an attacker, who was granted access (S_RFC) to execute the function module can inject malicious ABAP code, which will be saved persistently in a report in the ABAP repository .
This report can then be executed by using the remote function module without additional authorization checks. The successful exploitation of the identified vulnerability can allow the attacker to take complete control of the affected system.
Available fix and Supported packages
- DMIS | 2011_1_620 | 2011_1_620
- DMIS | 2011_1_640 | 2011_1_640
- DMIS | 2011_1_700 | 2011_1_700
- DMIS | 2011_1_710 | 2011_1_710
- DMIS | 2011_1_730 | 2011_1_730
- DMIS | 2011_1_731 | 2011_1_731
- DMIS | 2018_1_752 | 2018_1_752
- DMIS | 2020 | 2020
- S4CORE | 100 | 100
- S4CORE | 101 | 101
- S4CORE | 102 | 102
- S4CORE | 103 | 103
- S4CORE | 104 | 104
- S4CORE | 105 | 105
- DMIS 2018_1_752 | SAPK-20105INDMIS |
- DMIS 2011_1_620 | SAPK-11120INDMIS |
- DMIS 2011_1_640 | SAPK-11220INDMIS |
- DMIS 2011_1_710 | SAPK-11420INDMIS |
- DMIS 2011_1_730 | SAPK-11520INDMIS |
- DMIS 2011_1_731 | SAPK-11620INDMIS |
- DMIS 2011_1_700 | SAPK-11320INDMIS |
- DMIS 2020 | SAPK-20201INDMIS |
- | SAPK-123BHINSAPSCORE |
- S4CORE 105 | SAPK-10501INS4CORE |
- S4CORE 101 | SAPK-10110INS4CORE |
- S4CORE 102 | SAPK-10208INS4CORE |
- S4CORE 103 | SAPK-10306INS4CORE |
- S4CORE 104 | SAPK-10404INS4CORE |
Affected component
- CA-LT-PCL
Landscape Transformation – PCL Basis
CVSS
Score: 9.1
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Exploit
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/2973735
