Skip links
RedRays - Your SAP Security Solution
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

Missing authorization check in transaction SUB%, SAP security note 842915

Description

Any transactions can be started from transaction SUB% without the relevant transaction start authorization for each transaction being checked against S_TCODE.

Reports can also be started with transaction SUB%. However, an authorization check is always performed against S_PROGRAM for these reports, provided that the report in question is assigned to an authorization group.

Available fix and Supported packages

  • SAP_APPL | 40A | 40B
  • SAP_APPL | 45A | 45B
  • SAP_BASIS | 46A | 46D
  • SAP_BASIS | 610 | 640
  • SAP_BASIS | 700 | 700
  • SAP_APPL 40B | SAPKH40B86 |
  • SAP_APPL 45B | SAPKH45B64 |
  • SAP_BASIS 46B | SAPKB46B59 |
  • SAP_BASIS 46C | SAPKB46C51 |
  • SAP_BASIS 640 | SAPKB64013 |
  • SAP_BASIS 700 | SAPKB70002 |
  • SAP_BASIS 46D | SAPKB46D41 |
  • SAP_BASIS 620 | SAPKB62052 |
  • SAP_BASIS 610 | SAPKB61044 |

Affected component

    BC-ABA-LA
    Syntax, Compiler, Runtime

CVSS

Score: 0

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/842915

TAGS

#Report-SAPMSSYS
#missing-authorization-check
#authorization-object-S_TCODE
#SAP-shortcuts

More to explorer

SAP Cloud Connector Certificate Validation Issue

February 13, 2024

Date of Release: February 13, 2024 Advisory ID: CVE-2024-25642 Affected Software: SAP Cloud Connector Versions Affected: 2.15.0 to 2.16.1 Vulnerability Summary:A critical vulnerability,