Skip links

Security note Security gap in Data Browser (SE16), SAP security note 1133739

Description

Transaction SE16 is a universally applicable function to display any database contents in ABAP systems.
An authorization check against a table authorization group protects the access to this data using this function (authorization object S_TABU_DIS).

If you use transaction SE16 in a certain way, the system may fail to perform this authorization check.  This may allow unauthorized access to any sensitive or critical data.

The correction (Support Package or correction instructions) solves this problem.

Risk mitigation before the correction is effective:  Limit the access to transaction SE16 (authorization object S_TCODE).
We strongly recommend that customers limit the access to SE16 and implement the correction instruction as soon as possible.

Available fix and Supported packages

  • SAP_APPL | 31I | 31I
  • SAP_APPL | 40B | 40B
  • SAP_APPL | 45B | 45B
  • SAP_APPL | 46B | 46B
  • SAP_BASIS | 46B | 46D
  • SAP_BASIS | 620 | 640
  • SAP_BASIS | 700 | 700
  • SAP_BASIS | 710 | 711
  • SAP_APPL 31I | SAPKH31IB9 |
  • SAP_APPL 40B | SAPKH40B89 |
  • SAP_APPL 45B | SAPKH45B67 |
  • SAP_BASIS 46B | SAPKB46B62 |
  • SAP_BASIS 640 | SAPKB64022 |
  • SAP_BASIS 620 | SAPKB62064 |
  • SAP_BASIS 46C | SAPKB46C56 |
  • SAP_BASIS 700 | SAPKB70015 |
  • SAP_BASIS 710 | SAPKB71006 |
  • SAP_BASIS 711 | SAPKB71101 |
  • SAP_BASIS 710 | SAPKB71007 |

Affected component

    BC-SEC
    Security – Read KBA 2985997 for subcomponents

CVSS

Score: 0

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/1133739

TAGS

#Data-Browser
#SE16