CVE-2019-0280 — Missing Authorization in SE SAP Treasury AND Risk Management

CWE-862 — Missing Authorization3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 40.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Enterprise Financial Services SAP SE SAP Treasury AND Risk Management SAP Treasury AND Risk Management

Timeline

PublishedMay 14

Latest updateMay 24

Description

SAP Treasury and Risk Management (EA-FINSERV 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18 and 8.0; S4CORE 1.01, 1.02 and 1.03), does not perform necessary authorization checks for authorization objects T_DEAL_DP and T_DEAL_PD , resulting in escalation of privileges.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5sap_se/sap_treasury_and_risk_management< 6.0+8

▶NVDsap/treasury_and_risk_management9 versions+8

▶CVEListV5sap_se/sap_enterprise_financial_services< 1.01+2

🔴Vulnerability Details

GHSA

GHSA-2pvf-hwww-4v9q: SAP Treasury and Risk Management (EA-FINSERV 6↗2022-05-24

▶

CVEList

CVE-2019-0280: SAP Treasury and Risk Management (EA-FINSERV 6↗2019-05-14

▶