Skip links
RedRays
Published in: sap note

Missing Authorization Checks in the Monitor Data and My Data Collections Apps, SAP security note 2990992

Author
Published on:

Description

The Monitor Data (F2436) and My Data Collections (F3991) apps do not perform the necessary authorization checks for an authenticated user, resulting in an escalation of privileges.

 Some well-known impacts of missing authorization checks are:

  • abuse functionality restricted to a particular user group
  • read, modify, or delete restricted data

Available fix and Supported packages

  • S4CORE | 102 | 102
  • S4CORE | 103 | 103
  • S4CORE | 104 | 104
  • S4CORE | 105 | 105
  • | SAPK-123BHINSAPSCORE |
  • S4CORE 105 | SAPK-10501INS4CORE |
  • S4CORE 102 | SAPK-10208INS4CORE |
  • S4CORE 103 | SAPK-10306INS4CORE |
  • S4CORE 104 | SAPK-10404INS4CORE |

Affected component

    EHS-SUS-EM
    Environment Management

CVSS

Score: 5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/2990992

TAGS

#Access-control
#Authorization-error
#Authorization-profile

You may also like