SAP S/4 HANA Private Cloud Missing Authorization Check Vulnerability Allowing Unauthorized Data Access and Modification

A missing authorization check vulnerability has been identified in SAP S/4 HANA Private Cloud, specifically within the Financials General Ledger component. This vulnerability allows an authenticated attacker with access limited to a single company code to read sensitive data and post or modify documents across all company codes. The successful exploitation of this vulnerability could lead to a high impact on confidentiality and a low impact on integrity, while availability remains unaffected.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive data and the ability to post or modify documents across all company codes, potentially leading to significant financial discrepancies.

Remediation

Users are advised to consult the SAP Security Notes for guidance on addressing this vulnerability. SAP Security Notes can be accessed through the SAP for Me platform, specifically on the SAP Security Patch Day page. It is recommended to implement these security corrections as a priority.