SAP Financial Consolidation allows an unauthenticated attacker to gain unauthorized access to the Admin account. The vulnerability arises due to improper authentication mechanisms, due to which there is high impact on the Confidentiality, Integrity & Availability of the application.
The vulnerability results from improper implementation of authentication mechanisms (CWE-921 — storage of sensitive data in unsecured location related to auth bypass error). An attacker can remotely, without any privileges or user interaction, bypass the login process and gain access to the application's administrator account. The authentication mechanism does not enforce proper identity verification, opening the path to full Admin account takeover.
Attackers gain full access to the SAP Financial Consolidation administrator account, resulting in critical breach of confidentiality, integrity, and availability of the application and processed financial data.
Apply patches available from the vendor according to references — SAP note number 3572688, published as part of SAP Security Patch Day. Immediate patch deployment is recommended, as well as restricting network access to the application until it is installed.
SAP Financial Consolidation — versions specified in vendor references (SAP note 3572688)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H