CVE-2019-0279 — Missing Authorization in SE SAP Basis

CWE-862 — Missing Authorization3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.3%

top 43.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Basis SAP Business Application Software Integrated Solution

Timeline

PublishedApr 10

Latest updateMay 13

Description

ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5sap_se/sap_basis< from 7.00 to 7.02+4

▶NVDsap/business_application_software_integrated_solution7.00 — 7.02+4

🔴Vulnerability Details

GHSA

GHSA-mvgq-h74j-hhm6: ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7↗2022-05-13

▶

CVEList

CVE-2019-0279: ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7↗2019-04-10

▶