SAP NetWeaver Application Server for ABAP Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in SAP NetWeaver Application Server for ABAP. This vulnerability allows an authenticated attacker to initiate transactions directly through the session manager, bypassing the initial transaction screen and the necessary authorization checks. As a result, the attacker could access and execute transactions that typically require specific permissions, thereby compromising the system's integrity and confidentiality by enabling unauthorized access to restricted functions. However, this vulnerability does not affect the system's availability.

Impact

Exploitation of this vulnerability could lead to unauthorized access and actions within the system, allowing attackers to perform transactions and access functionalities that require specific permissions.

Remediation

Users are advised to consult the SAP Security Notes for guidance on addressing this vulnerability. SAP Security Notes can be accessed through the SAP for Me platform, where users can find the complete list of security notes and prioritize their implementation. For SAP NetWeaver products, security fixes are also included in the regular support package updates.