CVE-2022-41268

Name of the Vulnerable Software and Affected Versions SAP Business Planning and Consolidation versions SAP BW 750 through 757, DWCORE 200 through 300, CPMBPC 810

Description The issue concerns the use of a transaction code reserved for the customer in some SAP standard roles. This could allow a malicious user to execute unauthorized transaction functionality. Under specific circumstances, a successful attack could enable an adversary to escalate their privileges, allowing them to read, change, or delete system data.

Recommendations For SAP Business Planning and Consolidation versions SAP BW 750 through 757, consider restricting access to the transaction code reserved for the customer until a fix is available. For DWCORE versions 200 through 300, restrict the use of the vulnerable transaction code to prevent unauthorized access. For CPMBPC version 810, limit the privileges of users who have access to the transaction code to minimize potential damage. As a temporary workaround, consider disabling the vulnerable transaction functionality until a patch is available.