SAP ERP and SAP S/4HANA Missing Authorization Check Vulnerability Allowing Unauthorized ABAP Report Overwrite

A vulnerability exists in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise) due to a missing authorization check. This flaw allows an authenticated attacker to execute a specific ABAP report that can overwrite any existing eight-character executable ABAP report without proper authorization. While this exploitation could disrupt the availability of the intended functionality, it also introduces a limited integrity risk to the affected report. Confidentiality remains unaffected.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the intended functionality of the overwritten ABAP report to become unavailable. Additionally, there is a limited impact on the integrity of the affected report, as it can be overwritten with unauthorized changes.

Remediation

Users are advised to consult the SAP Security Notes for guidance on addressing this vulnerability. SAP Security Notes can be accessed through the SAP for Me platform, where users can find the complete list of security notes and prioritize their implementation. For specific patching details, refer to the SAP Security Notes FAQs.