Authorization Flaw in SAP Enterprise Financial Services
CVE-2018-2454

8.8HIGH

Key Information:

Vendor

SAP
Status
SAP Enterprise Financial Services
Vendor
CVE Published:
11 September 2018

What is CVE-2018-2454?

The SAP Enterprise Financial Services product versions 6.05, 6.06, 6.16, 6.17, 6.18, and 8.0 have been reported to lack proper authorization checks within the business function EAFS_BCA_BUSOPR_2. This vulnerability allows for authenticated users to escalate their privileges erroneously, potentially allowing unauthorized access to sensitive operations. Organizations using these affected versions are advised to apply relevant patches and review user permissions to mitigate this security risk.

Affected Version(s)

SAP Enterprise Financial Services = 6.05 = 6.05

SAP Enterprise Financial Services = 6.06 = 6.06

SAP Enterprise Financial Services = 6.16 = 6.16

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...
x_refsource_CONFIRM
https://launchpad.support.sap.com/#/notes/2645133
x_refsource_MISC
http://www.securityfocus.com/bid/105316
vdb-entryx_refsource_BID

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.