In some SAP standard roles, in SAP_ABA versions, 7.00 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, 75C to 75D, a transaction code reserved for customer is used. By implementing such transaction code a malicious user may execute unauthorized transaction functionality.
Weakness
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Advanced_business_application_programming | Sap | 7.00 (including) | 7.02 (including) |
| Advanced_business_application_programming | Sap | 7.10 (including) | 7.11 (including) |
| Advanced_business_application_programming | Sap | 7.30 (including) | 7.30 (including) |
| Advanced_business_application_programming | Sap | 7.31 (including) | 7.31 (including) |
| Advanced_business_application_programming | Sap | 7.40 (including) | 7.40 (including) |
| Advanced_business_application_programming | Sap | 7.50 (including) | 7.50 (including) |
| Advanced_business_application_programming | Sap | 75c (including) | 75c (including) |
| Advanced_business_application_programming | Sap | 75d (including) | 75d (including) |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/122.html
- https://cwe.mitre.org/data/definitions/233.html
- https://cwe.mitre.org/data/definitions/58.html
References
- http://www.securityfocus.com/bid/105906
- https://launchpad.support.sap.com/#/notes/2693083
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=503809832
- http://www.securityfocus.com/bid/105906
- https://launchpad.support.sap.com/#/notes/2693083
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=503809832