Problem Note 67258: SAS® Anti-Money Laundering contains a broken access-control vulnerability
 |  |  |  |  |
Severity: Medium
Description: A user with the Add to Case (AML.ENTITY.ADDTOCASE.MY) capability can add an entity that they do not own to a case by using HTTP POST on the /cases REST endpoint.
Potential Impact: Users can add to a case an entity that they should not have access to.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Anti-Money Laundering | 64-bit Enabled Solaris | 7.1 | 7.1 | 9.4 TS1M6 | 9.4 TS1M6 |
| 64-bit Enabled AIX | 7.1 | 7.1 | 9.4 TS1M6 | 9.4 TS1M6 | ||
| Microsoft® Windows® for x64 | 7.1 | 7.1 | 9.4 TS1M6 | 9.4 TS1M6 | ||
| Linux for x64 | 7.1 | 7.1 | 9.4 TS1M6 | 9.4 TS1M6 | ||
A fix for this issue for SAS Compliance Solutions 7.1 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/A5T.html#67258| Type: | Problem Note |
| Priority: | high |
| Date Modified: | 2021-02-12 09:02:53 |
| Date Created: | 2021-01-18 15:21:42 |