SAP S/4HANA Manage Processing Rules Bank Statements Authorization Vulnerability Allowing Condition Deletion

An authorization vulnerability has been identified in SAP S/4HANA's Manage Processing Rules for Bank Statements. This issue allows an authenticated attacker with basic privileges to delete conditions from any shared rule belonging to any user. The vulnerability arises from a lack of proper authorization checks, enabling attackers to manipulate request parameters and remove shared rule conditions that should be protected, thereby compromising the application's integrity.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of shared rule conditions, disrupting the integrity of the application's processing rules for bank statements.

Remediation

Users are advised to consult the SAP Security Notes for guidance on addressing this vulnerability. SAP Security Notes can be accessed through the SAP for Me platform, specifically on the SAP Security Patch Day.