An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.
The vulnerability (CWE-862 — missing authorization control) consists in the application not properly verifying user permissions when invoking a specific generic function module call. An authenticated attacker can abuse this call to execute critical operations to which they should not normally have access. As a result, arbitrary SQL queries can be executed directly on the database supporting the SAP system.
An attacker can gain full database access — read, modify, or delete any data, resulting in complete compromise of system confidentiality, integrity, and availability.
Apply patches available from the vendor according to references — SAP Note 3697099 (https://me.sap.com/notes/3697099) published as part of the SAP Security Patch Day. Priority implementation of updates is recommended due to the critical severity level of the vulnerability.
SAP NetWeaver Application Server ABAP, SAP CRM (Scripting Editor), SAP S/4HANA — specific versions indicated in vendor references (SAP Note 3697099)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HSap Netweaver Application Server Abap
APPSap700Sap S\/4hana
APPSap102103104105106107108109Sap Webclient Ui Framework
APPSap700701730731746747748800801
Related vulnerabilities
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Serve...
SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong aut...
SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752,...
An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO ...
SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, ...