SAP Identity Management 2.0 Remote Code Execution Vulnerability

Summary

Under certain conditions, it is possible to request the modification of role or privilege assignments through SAP Identity Management REST Interface Version 2, which would otherwise be restricted only for viewing.

Credit:

The information has been provided by  Aditi Kulkarni.
The original article can be found at: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032


Details

SAP Identity Management is prone to a remote code-execution vulnerability.This allows a remote attacker to exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts may result in a denial-of-service condition. 

Vulnerable Systems:

  • SAP Identity Management 2.0

CVE Information:
CVE-2019-0301

Disclosure Timeline:
Publish Date:05/14/2019