SAP Solution Tools Plug-In (ST-PI) contains a broken authorization check that allows authenticated users to view sensitive information they are not authorized to access.

This vulnerability is an Information Disclosure flaw caused by a missing authorization check within a function module. An authenticated attacker with basic access to the SAP system can invoke this module to bypass intended restrictions and extract sensitive data.

The CVSS score of 7.7 underscores the critical nature of this information disclosure. Unauthorized access to internal SAP data can lead to the compromise of business intelligence, financial records, or system configuration details. Such leaks can result in regulatory non-compliance, loss of competitive advantage, and provide a roadmap for attackers to escalate privileges within the SAP environment.

Immediate Action: Apply the relevant SAP Security Note and update the ST-PI component to the version specified in the vendor advisory.

Proactive Monitoring: Review SAP audit logs (SM20) and Gateway logs for unusual execution of ST-PI function modules, especially by users who do not typically perform administrative or diagnostic tasks.

Compensating Controls: Restrict network access to the SAP application server and ensure that only necessary users have the "Remote-Enabled Function" (RFC) invocation privileges.

Public Exploit Available: false

This vulnerability represents a significant risk to data confidentiality within the SAP ecosystem. It is highly recommended to apply the vendor's security updates immediately, as authenticated vulnerabilities are often overlooked but provide high value to attackers already inside the perimeter.