CVE-2021-21466

Published: Jan 12, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service.

Affected (11)

Products: Sap: Business Warehouse, Bw/4hana

2 products

Business Warehouse

Configuration A

11 vulnerable

Vulnerable Software	Affected Versions
Sap Business Warehouse	Version 700
Sap Business Warehouse	Version 701
Sap Business Warehouse	Version 702
Sap Business Warehouse	Version 711
Sap Business Warehouse	Version 730
Sap Business Warehouse	Version 731
Sap Business Warehouse	Version 740
Sap Business Warehouse	Version 750
Sap Business Warehouse	Version 782
Sap Bw/4hana	Version 100
Sap Bw/4hana	Version 200

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (8)

http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html

Source: cna@sap.com

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2022/May/42

Source: cna@sap.com

ExploitMailing ListThird Party Advisory

https://launchpad.support.sap.com/#/notes/2999854

Source: cna@sap.com

Permissions RequiredVendor Advisory

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476

Source: cna@sap.com

Vendor Advisory

http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2022/May/42

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMailing ListThird Party Advisory

https://launchpad.support.sap.com/#/notes/2999854

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredVendor Advisory

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.