Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for SAP BW/4HANA by SAP SE

    CVE-2021-21466 (GCVE-0-2021-21466)

    Vulnerability from nvd – Published: 2021-01-12 14:42 – Updated: 2024-08-03 18:16
    VLAI
    Summary
    SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service.
    CWE
    • Code Injection
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP SE SAP Business Warehouse Affected: < 700
    Affected: < 701
    Affected: < 702
    Affected: < 711
    Affected: < 730
    Affected: < 731
    Affected: < 740
    Affected: < 750
    Affected: < 782
    Create a notification for this product.
    SAP SE SAP BW/4HANA Affected: < 100
    Affected: < 200
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:16:22.469Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2999854"
              },
              {
                "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2022/May/42"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP Business Warehouse",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 700"
                },
                {
                  "status": "affected",
                  "version": "\u003c 701"
                },
                {
                  "status": "affected",
                  "version": "\u003c 702"
                },
                {
                  "status": "affected",
                  "version": "\u003c 711"
                },
                {
                  "status": "affected",
                  "version": "\u003c 730"
                },
                {
                  "status": "affected",
                  "version": "\u003c 731"
                },
                {
                  "status": "affected",
                  "version": "\u003c 740"
                },
                {
                  "status": "affected",
                  "version": "\u003c 750"
                },
                {
                  "status": "affected",
                  "version": "\u003c 782"
                }
              ]
            },
            {
              "product": "SAP BW/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 100"
                },
                {
                  "status": "affected",
                  "version": "\u003c 200"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-19T17:06:16.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2999854"
            },
            {
              "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2022/May/42"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2021-21466",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP Business Warehouse",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "700"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "701"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "702"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "711"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "730"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "731"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "740"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "750"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "782"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP BW/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "100"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "200"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.9",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Code Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/2999854",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/2999854"
                },
                {
                  "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2022/May/42"
                },
                {
                  "name": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2021-21466",
        "datePublished": "2021-01-12T14:42:39.000Z",
        "dateReserved": "2020-12-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T18:16:22.469Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-21466 (GCVE-0-2021-21466)

    Vulnerability from cvelistv5 – Published: 2021-01-12 14:42 – Updated: 2024-08-03 18:16
    VLAI
    Summary
    SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service.
    CWE
    • Code Injection
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP SE SAP Business Warehouse Affected: < 700
    Affected: < 701
    Affected: < 702
    Affected: < 711
    Affected: < 730
    Affected: < 731
    Affected: < 740
    Affected: < 750
    Affected: < 782
    Create a notification for this product.
    SAP SE SAP BW/4HANA Affected: < 100
    Affected: < 200
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:16:22.469Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2999854"
              },
              {
                "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2022/May/42"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP Business Warehouse",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 700"
                },
                {
                  "status": "affected",
                  "version": "\u003c 701"
                },
                {
                  "status": "affected",
                  "version": "\u003c 702"
                },
                {
                  "status": "affected",
                  "version": "\u003c 711"
                },
                {
                  "status": "affected",
                  "version": "\u003c 730"
                },
                {
                  "status": "affected",
                  "version": "\u003c 731"
                },
                {
                  "status": "affected",
                  "version": "\u003c 740"
                },
                {
                  "status": "affected",
                  "version": "\u003c 750"
                },
                {
                  "status": "affected",
                  "version": "\u003c 782"
                }
              ]
            },
            {
              "product": "SAP BW/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 100"
                },
                {
                  "status": "affected",
                  "version": "\u003c 200"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-19T17:06:16.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2999854"
            },
            {
              "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2022/May/42"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2021-21466",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP Business Warehouse",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "700"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "701"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "702"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "711"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "730"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "731"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "740"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "750"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "782"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP BW/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "100"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "200"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.9",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Code Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/2999854",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/2999854"
                },
                {
                  "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2022/May/42"
                },
                {
                  "name": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2021-21466",
        "datePublished": "2021-01-12T14:42:39.000Z",
        "dateReserved": "2020-12-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T18:16:22.469Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }