Description
While reading disbursement data using the Disbursement read webservice , authorization checks are not performed for an authenticated user, resulting in escalation of privileges.
Some well-known impacts of Missing Authorization check are –
- abuse functionality restricted to a particular user group
- read, modify or delete restricted data
Available fix and Supported packages
- FSAPPL | 400 | 400
- FSAPPL | 500 | 500
- CB4HANA | 100 | 100
- FSAPPL 500 | SAPK-50015INFSAPPL |
- FSAPPL 400 | SAPK-40030INFSAPPL |
- CB4HANA 100 | SAPK-10002INCB4HANA |
Affected component
- FS-AM-OM-AC-DB
Disbursement (Loans)
CVSS
Score: 3.0
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
Exploit
Exploit is not available.
For detailed information please contact the mail [email protected]
URL
https://launchpad.support.sap.com/#/notes/2947891
