3719939 - Static content of SAPUI5 runtime and Fiori apps are cached and can be displayed without authentication

Symptom

Static content of SAPUI5 runtime and Fiori apps are cached and can be displayed without authentication. For example, the result of the following requests can be directly displayed without authentication:

https://<host>:<port>/sap/bc/ui5_ui5/ui2/ushell/resources/~<cache token>~/sap-ui-version.json
https://<host>:<port>/sap/bc/ui5_ui5/ui2/ushell/resources/~<cache token>~/sap/ushell/renderers/fiori2/search/searchComponent/manifest.json
https://<host>:<port>/sap/bc/ui5_ui5/sap/<app name>/~<cache token>~5/manifest.json

Environment

SAP S/4HANA

Product

SAP NetWeaver Application Server for ABAP innovation package all versions ; SAP S/4HANA Cloud Private Edition all versions ; SAP S/4HANA all versions

Keywords

SAPUI5, ABAP repository, version information, login authorization, security vulnerability, static content, ICM cache, Fiori apps, authentication, cache management, JavaScript content, SAP NetWeaver , KBA , CA-UI5-ABA-SAR , UI5 App Infrastructure: SAPUI5 ABAP Repository , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.