CVE-2019-0325 - Vulnerability Details - OpenCVE

SAP ERP HCM (SAP_HRCES) , version 3, does not perform necessary authorization checks for a report that reads payroll data of employees in a certain area. Due to this under certain conditions, the user that once had authorization to payroll data of an employee, which was later revoked, may retain access to the same data.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Erp Hcm

Configuration 1 [-]

cpe:2.3:a:sap:erp_hcm:3.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/109075
https://launchpad.support.sap.com/#/notes/2798133
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575

History

No history.

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2019-07-10T19:04:13

Updated: 2024-08-04T17:44:16.457Z

Reserved: 2018-11-26T00:00:00

Link: CVE-2019-0325

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-07-10T20:15:11.903

Modified: 2024-11-21T04:16:41.060

Link: CVE-2019-0325

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SAP ERP HCM (SAP_HRCES) ", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 3"}]}], "descriptions": [{"lang": "en", "value": "SAP ERP HCM (SAP_HRCES) , version 3, does not perform necessary authorization checks for a report that reads payroll data of employees in a certain area. Due to this under certain conditions, the user that once had authorization to payroll data of an employee, which was later revoked, may retain access to the same data."}], "problemTypes": [{"descriptions": [{"description": "Missing Authorization", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-10T19:04:18", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"name": "109075", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/109075"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2798133"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2019-0325", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP ERP HCM (SAP_HRCES) ", "version": {"version_data": [{"version_name": "<", "version_value": "3"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SAP ERP HCM (SAP_HRCES) , version 3, does not perform necessary authorization checks for a report that reads payroll data of employees in a certain area. Due to this under certain conditions, the user that once had authorization to payroll data of an employee, which was later revoked, may retain access to the same data."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Missing Authorization"}]}]}, "references": {"reference_data": [{"name": "109075", "refsource": "BID", "url": "http://www.securityfocus.com/bid/109075"}, {"name": "https://launchpad.support.sap.com/#/notes/2798133", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2798133"}, {"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575", "refsource": "CONFIRM", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:44:16.457Z"}, "title": "CVE Program Container", "references": [{"name": "109075", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/109075"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/2798133"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575"}]}]}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2019-0325", "datePublished": "2019-07-10T19:04:13", "dateReserved": "2018-11-26T00:00:00", "dateUpdated": "2024-08-04T17:44:16.457Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:erp_hcm:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "19B3A119-153A-4199-B24D-0A6D51D13318", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SAP ERP HCM (SAP_HRCES) , version 3, does not perform necessary authorization checks for a report that reads payroll data of employees in a certain area. Due to this under certain conditions, the user that once had authorization to payroll data of an employee, which was later revoked, may retain access to the same data."}, {"lang": "es", "value": "SAP ERP HCM (SAP_HRCES), versi\u00f3n 3, no realiza las comprobaciones de autorizaci\u00f3n necesarias para un reporte que lee los datos de n\u00f3mina de los empleados en un \u00e1rea determinada. Debido a esto, bajo ciertas condiciones, el usuario una vez que tuvo la autorizaci\u00f3n para datos de n\u00f3mina de un empleado, y que fue revocado luego, puede conservar el acceso a los mismos datos."}], "id": "CVE-2019-0325", "lastModified": "2024-11-21T04:16:41.060", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-10T20:15:11.903", "references": [{"source": "cna@sap.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/109075"}, {"source": "cna@sap.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/2798133"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/109075"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/2798133"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}