CVE-2021-21465

Published: Jan 12, 2021Modified: Nov 21, 2024

9.9

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitability: 3.1 / Impact: 6.0

Source: NVD

Description

The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database. An attacker can include their own SQL commands which the database will execute without properly sanitizing the untrusted data leading to SQL injection vulnerability which can fully compromise the affected SAP system.

Affected (12)

Products: Sap: Business Warehouse

1 product

Business Warehouse

Configuration A

12 vulnerable

Vulnerable Software	Affected Versions
Sap Business Warehouse	Version 710
Sap Business Warehouse	Version 711
Sap Business Warehouse	Version 730
Sap Business Warehouse	Version 731
Sap Business Warehouse	Version 740
Sap Business Warehouse	Version 750
Sap Business Warehouse	Version 751
Sap Business Warehouse	Version 752
Sap Business Warehouse	Version 753
Sap Business Warehouse	Version 754
Sap Business Warehouse	Version 755
Sap Business Warehouse	Version 782

Related CWEs

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (8)

http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html

Source: cna@sap.com

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2022/May/42

Source: cna@sap.com

ExploitMailing ListThird Party Advisory

https://launchpad.support.sap.com/#/notes/2986980

Source: cna@sap.com

Permissions Required

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476

Source: cna@sap.com

Vendor Advisory

http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2022/May/42

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMailing ListThird Party Advisory

https://launchpad.support.sap.com/#/notes/2986980

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.