Problem Note 67257: SAS® Anti-Money Laundering contains a broken access-control vulnerability
Severity: Medium
Description: A user with the Create Alert (AML.ALERT.CREATE) capability can create an alert on an entity that they should not have access to by using HTTP POST on the /alerts REST endpoint.
Potential Impact: Unauthorized users can create alerts on entities that they should not have access to.
Click the Hot Fix tab in this note to access the hot fix for this issue.
This security vulnerability is fixed in Hot Fix 11 (A5T015).
Operating System and Release Information
SAS System | SAS Anti-Money Laundering | Microsoft® Windows® for x64 | 7.1 | | | |
64-bit Enabled AIX | 7.1 | | | |
64-bit Enabled Solaris | 7.1 | | | |
Linux for x64 | 7.1 | | | |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
Type: | Problem Note |
Priority: | high |
Date Modified: | 2021-01-22 09:01:53 |
Date Created: | 2021-01-18 15:09:28 |