Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1657275-2)
SAP Support Packages
(SAPKH31IB9, SAPKH40B89, SAPKH45B67, SAPKH46B62, SAPKH46C64, SAPKH47038, SAPKH50027, SAPKH60021, SAPKH60211, SAPKH60310, SAPKH60411, SAPKH60508)
Описание
FI-FM does not contain authorization checks for checking an authenticated user's authorization to access some of its functions. This may result in undesired system behavior.
Как исправить
The correction is delivered in a Support Package. The view U_12424 will be deleted. Delete the view U_12424 if you agree to modify a dictionary repository object from SAP. Otherwise you can assign a table authorization group to that view which is not authorized to anybody to avoid that the data of the view can be shown using transaction SE16 or similar. Use transaction SE54 (or SM30 for view V_DDAT_54) to assign the table authorization group SPWD and ensure you don't have provided authorizations for authorization object S_TABU_DIS to anybody. (You can use transaction SUIM to search for users or roles having authorizations for authorization object S_TABU_DIS.)
------------------------------------------------------------------------
|Manual Activity |
------------------------------------------------------------------------
|VALID FOR |
|Software Component SAP_APPL SAP Application |
| Release 31I Until SAPKH31IB8 |
| Release 40B Until SAPKH40B88 |
| Release 45B Until SAPKH45B66 |
| Release 46B Until SAPKH46B61 |
| Release 46C Until SAPKH46C63 |
| Release 470 Until SAPKH47037 |
| Release 500 SAPKH50001 - SAPKH50026 |
| Release 600 SAPKH60001 - SAPKH60020 |
| Release 602 Until SAPKH60210 |
| Release 603 Until SAPKH60309 |
| Release 604 SAPKH60401 - SAPKH60410 |
| Release 605 Until SAPKH60507 |
| Release 606 From SAPKH60601 |
------------------------------------------------------------------------
Delete the view U_12424 if you agree to modify a dictionary repository object from SAP. Otherwise you can assign a table authorization group to that view which is not authorized to anybody to avoid that the data of the view can be shown using transaction SE16 or similar. Use transaction SE54 (or SM30 for view V_DDAT_54) to assign the table authorization group SPWD and ensure you don't have provided authorizations for authorization object S_TABU_DIS to anybody. (You can use transaction SUIM to search for users or roles having authorizations for authorization object S_TABU_DIS.)
------------------------------------------------------------------------
|Manual Activity |
------------------------------------------------------------------------
|VALID FOR |
|Software Component SAP_APPL SAP Application |
| Release 31I Until SAPKH31IB8 |
| Release 40B Until SAPKH40B88 |
| Release 45B Until SAPKH45B66 |
| Release 46B Until SAPKH46B61 |
| Release 46C Until SAPKH46C63 |
| Release 470 Until SAPKH47037 |
| Release 500 SAPKH50001 - SAPKH50026 |
| Release 600 SAPKH60001 - SAPKH60020 |
| Release 602 Until SAPKH60210 |
| Release 603 Until SAPKH60309 |
| Release 604 SAPKH60401 - SAPKH60410 |
| Release 605 Until SAPKH60507 |
| Release 606 From SAPKH60601 |
------------------------------------------------------------------------
Delete the view U_12424 if you agree to modify a dictionary repository object from SAP. Otherwise you can assign a table authorization group to that view which is not authorized to anybody to avoid that the data of the view can be shown using transaction SE16 or similar. Use transaction SE54 (or SM30 for view V_DDAT_54) to assign the table authorization group SPWD and ensure you don't have provided authorizations for authorization object S_TABU_DIS to anybody. (You can use transaction SUIM to search for users or roles having authorizations for authorization object S_TABU_DIS.)
Ссылки
