Description
SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079
Permissions Required x_refsource_misc
https://launchpad.support.sap.com/#/notes/2993132
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2022/May/42
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html
Scores
CVSS v3
7.6
EPSS
0.0050
EPSS Percentile
66.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H
Details
CWE
CWE-862
Status
published
Products (13)
sap/netweaver_application_server_abap
2011_1_620
sap/netweaver_application_server_abap
2011_1_640
sap/netweaver_application_server_abap
2011_1_700
sap/netweaver_application_server_abap
2011_1_710
sap/netweaver_application_server_abap
2011_1_730
sap/netweaver_application_server_abap
2011_1_731
sap/netweaver_application_server_abap
2011_1_752
sap/netweaver_application_server_abap
2020
sap/s\/4_hana
101
sap/s\/4_hana
102
... and 3 more
Published
Dec 09, 2020
Tracked Since
Feb 18, 2026