Skip links

No authorization check for editor, SAP security note 1357370

Description

In some programs, you can start the editor in change mode, even though the relevant development authorization does not exist (authorization object S_DEVELOP).

However, changes made in the editor are generally not transferred to the current process; the editor call is used only to display dynamically generated ABAP or SQL.

Since you cannot always be sure that the source code that was changed using the editor is executed, the attached corrections ensure that the change authorization is always checked and that only displayed mode is chosen if the user does not have the required authorization.

Available fix and Supported packages

  • SAP_BW | 20B | 20B
  • SAP_BW | 21C | 21C
  • SAP_BW | 30B | 30B
  • SAP_BW | 310 | 310
  • SAP_BW | 350 | 350
  • SAP_BW | 700 | 702
  • SAP_BW | 710 | 720
  • SAP_BW_VIRTUAL_COMP | 30B | 30B
  • SAP_BW_VIRTUAL_COMP | 701 | 701
  • SAP_BW 30B | SAPKW30B34 |
  • SAP_BW 310 | SAPKW31028 |
  • SAP_BW 701 | SAPKW70105 |
  • SAP_BW 700 | SAPKW70022 |
  • SAP_BW 710 | SAPKW71009 |
  • SAP_BW 702 | SAPKW70202 |
  • SAP_BW 711 | SAPKW71104 |
  • SAP_BW 350 | SAPKW35026 |
  • SAP_BW_VIRTUAL_COMP 701 | SAPK-70109INVCBWTECH |
  • SAP_BW_VIRTUAL_COMP 30B | SAPK-30B47INVCBWTECH |

Affected component

    BW-BEX-OT-DBIF
    Interface to Database

CVSS

Score: 0

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/1357370

TAGS

#RSAPO
#APO-interface
#RSDRU
#security-standard
#Securitystandard