Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-0279

ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges.

Published

2019-04-10T21:29:01.153

Last Modified

2024-11-21T04:16:37.650

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-862

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	sap	business_application_software_integrated_solution	≤ 7.02	Yes
Application	sap	business_application_software_integrated_solution	≤ 7.30	Yes
Application	sap	business_application_software_integrated_solution	≤ 7.53	Yes
Application	sap	business_application_software_integrated_solution	7.31	Yes
Application	sap	business_application_software_integrated_solution	7.40	Yes

References

https://launchpad.support.sap.com/#/notes/2753629 Permissions Required, Vendor Advisory ([email protected])
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114 Vendor Advisory ([email protected])
https://launchpad.support.sap.com/#/notes/2753629 Permissions Required, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)