Skip links
RedRays
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

/SAPAPO/MC62 authorization for creating CVCs, SAP security note 1306604

Description

Authorization object C_APO_CVC (introduced by note 1235367) is used to limit rights for CVC maintenance.
A user has authorization to create CVCs for a POS A, but not for POS B.
On the first screen of /SAPAPO/MC62 the user enters POS A, then on the next screen, using the get variant button, selects a variant for POS B; authorization is not checked again, so the user is able to create CVCs for POS B.

Available fix and Supported packages

  • SCM | 410 | 410
  • SCM | 500 | 500
  • SCM | 510 | 510
  • SCM | 700 | 700
  • SCM 700 | SAPKY70003 |
  • SCM 510 | SAPKY51010 |
  • SCM 410 | SAPKY41020 |
  • SCM 500 | SAPKY50017 |

Affected component

    SCM-APO-FCS-BF
    Basic Functions

CVSS

Score: 0

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected].

URL

https://launchpad.support.sap.com/#/notes/1306604

TAGS

#Maintenance-of-Characteristic-Value-Combinations
#C_APO_CVC

More to explorer