Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

User Guest granted privileges of a real user, SAP security note 1720677

Description

A legitimate user opens a browser and accesses a protected resource on AS Java. The user is granted access without authentication, and notices that the currently authenticated user is a different one.

Available fix and Supported packages

  • SERVERCORE | 7.20 | 7.20
  • SERVERCORE | 7.30 | 7.30
  • SERVERCORE | 7.31 | 7.31
  • J2EE ENGINE SERVERCORE 7.20 | SP004 | 000051
  • J2EE ENGINE SERVERCORE 7.20 | SP005 | 000027
  • J2EE ENGINE SERVERCORE 7.20 | SP006 | 000015
  • J2EE ENGINE SERVERCORE 7.20 | SP007 | 000011
  • J2EE ENGINE SERVERCORE 7.20 | SP008 | 000000
  • J2EE ENGINE SERVERCORE 7.30 | SP001 | 000017
  • J2EE ENGINE SERVERCORE 7.30 | SP002 | 000023
  • J2EE ENGINE SERVERCORE 7.30 | SP003 | 000021
  • J2EE ENGINE SERVERCORE 7.30 | SP004 | 000015
  • J2EE ENGINE SERVERCORE 7.30 | SP005 | 000023
  • J2EE ENGINE SERVERCORE 7.30 | SP007 | 000007
  • J2EE ENGINE SERVERCORE 7.30 | SP008 | 000000
  • J2EE ENGINE SERVERCORE 7.31 | SP001 | 000012
  • J2EE ENGINE SERVERCORE 7.31 | SP002 | 000010
  • J2EE ENGINE SERVERCORE 7.31 | SP003 | 000005
  • J2EE ENGINE SERVERCORE 7.31 | SP004 | 000001
  • J2EE ENGINE SERVERCORE 7.31 | SP005 | 000000

Affected component

    BC-JAS-SEC
    Security, User Management

CVSS

Score: 0

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected].

URL

https://launchpad.support.sap.com/#/notes/1720677

TAGS

#user
#no-authentication
#other-user-data
#different-authenticated-user

More to explorer