CVE-2019-0279
HIGHSAP BASIS - Authenticated Privilege Escalation via ABAP Function Modules
Title source: llmDescription
ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114
Permissions Required, Vendor Advisory x_refsource_confirm
https://launchpad.support.sap.com/#/notes/2753629
Scores
CVSS v3
8.8
EPSS
0.0034
EPSS Percentile
56.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-862
Status
published
Products (3)
sap/business_application_software_integrated_solution
7.31
sap/business_application_software_integrated_solution
7.40
sap/business_application_software_integrated_solution
7.00 - 7.02
Published
Apr 10, 2019
Tracked Since
Feb 18, 2026