CVE-2022-31589 — Incorrect Authorization in SE SAP Financials

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 59.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Financials SAP SE SAP S 4hana Core SAP ERP Financial Accounting +2 more

Timeline

PublishedJun 14

Latest updateJun 15

Description

Due to improper authorization check, business users who are using Israeli File from SHAAM program (/ATL/VQ23 transaction), are granted more than needed authorization to perform certain transaction, which may lead to users getting access to data that would otherwise be restricted.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶NVDsap/s_4hana9 versions+8

▶NVDsap/erp_localization5 versions+4

▶CVEListV5sap_se/sap_financials720, SAP_FIN 618+1

▶CVEListV5sap_se/sap_s_4hana_core9 versions+8

▶NVDsap/erp_financial_accounting618, 720+1

🔴Vulnerability Details

GHSA

GHSA-vhrf-gfcg-4676: Due to improper authorization check, business users who are using Israeli File from SHAAM program (/ATL/VQ23 transaction), are granted more than neede↗2022-06-15

▶

CVEList

CVE-2022-31589: Due to improper authorization check, business users who are using Israeli File from SHAAM program (/ATL/VQ23 transaction), are granted more than neede↗2022-06-14

▶