CVE-2019-0279

Name of the Vulnerable Software and Affected Versions: SAP BASIS versions 7.0 through 7.02 SAP BASIS versions 7.10 through 7.30 SAP BASIS versions 7.31 SAP BASIS versions 7.40 SAP BASIS versions 7.50 through 7.53

Description: The issue concerns the ABAP BASIS function modules INST CREATE R3 RFC DEST, INST CREATE TCPIP RFCDEST, and INST CREATE TCPIP RFC DEST in SAP BASIS. These function modules do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges.

Recommendations: For SAP BASIS versions 7.0 through 7.02, update to a version outside of this range. For SAP BASIS versions 7.10 through 7.30, update to a version outside of this range. For SAP BASIS version 7.31, update to a version outside of this range. For SAP BASIS version 7.40, update to a version outside of this range. For SAP BASIS versions 7.50 through 7.53, update to a version outside of this range. As a temporary workaround, consider restricting access to the function modules INST CREATE R3 RFC DEST, INST CREATE TCPIP RFCDEST, and INST CREATE TCPIP RFC DEST until a patch is available.