Privilege Escalation in SAP Treasury and Risk Management by SAP
CVE-2019-0280

8.8HIGH

Key Information:

Vendor: SAP
Status: SAP Treasury And Risk Management(ea-finserv); SAP Enterprise Financial Services (s4core)
Vendor: CVE Published:; 14 May 2019

Summary

SAP Treasury and Risk Management versions EA-FINSERV and S4CORE are affected by a vulnerability that lacks necessary authorization checks for critical authorization objects, specifically T_DEAL_DP and T_DEAL_PD. This oversight could allow unauthorized users to escalate their privileges, granting them access to sensitive financial data and operational capabilities they would not normally have. Organizations utilizing these versions should prioritize applying the updates provided by SAP to mitigate potential risks associated with this vulnerability.

Affected Version(s)

SAP Enterprise Financial Services (S4CORE) < 1.01 < 1.01

SAP Enterprise Financial Services (S4CORE) < 1.02 < 1.02

SAP Enterprise Financial Services (S4CORE) < 1.03 < 1.03

References

https://launchpad.support.sap.com/#/notes/2744937

x_refsource_MISC

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 14, 2019
Vulnerability Reserved
Nov 26, 2018