CVE-2019-0325 - Vulnerability Details - OpenCVE

Description

SAP ERP HCM (SAP_HRCES) , version 3, does not perform necessary authorization checks for a report that reads payroll data of employees in a certain area. Due to this under certain conditions, the user that once had authorization to payroll data of an employee, which was later revoked, may retain access to the same data.

Published: 2019-07-10

Score: 4.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SAP SE

SAP ERP HCM (SAP_HRCES)

affected

Version	Status	Constraints
`< 3`	affected	—

Configuration 1 [-]

cpe:2.3:a:sap:erp_hcm:3.0:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2019-1098	SAP ERP HCM (SAP_HRCES) , version 3, does not perform necessary authorization checks for a report that reads payroll data of employees in a certain area. Due to this under certain conditions, the user that once had authorization to payroll data of an employee, which was later revoked, may retain access to the same data.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00159.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://www.securityfocus.com/bid/109075
https://launchpad.support.sap.com/#/notes/2798133
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575

History

No history.

Subscriptions

Sap Erp Hcm

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2019-07-10T19:04:13.000Z

Updated: 2024-08-04T17:44:16.457Z

Reserved: 2018-11-26T00:00:00.000Z

Link: CVE-2019-0325

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-07-10T20:15:11.903

Modified: 2024-11-21T04:16:41.060

Link: CVE-2019-0325

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-862

{"containers": {"cna": {"affected": [{"product": "SAP ERP HCM (SAP_HRCES)", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 3"}]}], "descriptions": [{"lang": "en", "value": "SAP ERP HCM (SAP_HRCES) , version 3, does not perform necessary authorization checks for a report that reads payroll data of employees in a certain area. Due to this under certain conditions, the user that once had authorization to payroll data of an employee, which was later revoked, may retain access to the same data."}], "problemTypes": [{"descriptions": [{"description": "Missing Authorization", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-10T19:04:18.000Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"name": "109075", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/109075"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2798133"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2019-0325", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP ERP HCM (SAP_HRCES)", "version": {"version_data": [{"version_name": "<", "version_value": "3"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SAP ERP HCM (SAP_HRCES) , version 3, does not perform necessary authorization checks for a report that reads payroll data of employees in a certain area. Due to this under certain conditions, the user that once had authorization to payroll data of an employee, which was later revoked, may retain access to the same data."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Missing Authorization"}]}]}, "references": {"reference_data": [{"name": "109075", "refsource": "BID", "url": "http://www.securityfocus.com/bid/109075"}, {"name": "https://launchpad.support.sap.com/#/notes/2798133", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2798133"}, {"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575", "refsource": "CONFIRM", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:44:16.457Z"}, "title": "CVE Program Container", "references": [{"name": "109075", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/109075"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/2798133"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575"}]}]}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2019-0325", "datePublished": "2019-07-10T19:04:13.000Z", "dateReserved": "2018-11-26T00:00:00.000Z", "dateUpdated": "2024-08-04T17:44:16.457Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:erp_hcm:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "19B3A119-153A-4199-B24D-0A6D51D13318", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SAP ERP HCM (SAP_HRCES) , version 3, does not perform necessary authorization checks for a report that reads payroll data of employees in a certain area. Due to this under certain conditions, the user that once had authorization to payroll data of an employee, which was later revoked, may retain access to the same data."}, {"lang": "es", "value": "SAP ERP HCM (SAP_HRCES), versi\u00f3n 3, no realiza las comprobaciones de autorizaci\u00f3n necesarias para un reporte que lee los datos de n\u00f3mina de los empleados en un \u00e1rea determinada. Debido a esto, bajo ciertas condiciones, el usuario una vez que tuvo la autorizaci\u00f3n para datos de n\u00f3mina de un empleado, y que fue revocado luego, puede conservar el acceso a los mismos datos."}], "id": "CVE-2019-0325", "lastModified": "2024-11-21T04:16:41.060", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-10T20:15:11.903", "references": [{"source": "cna@sap.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/109075"}, {"source": "cna@sap.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/2798133"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/109075"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/2798133"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}