← Back

CVE-2021-38176

nvd nist
Published: Sep 14, 2021Modified: Nov 21, 2024

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.

Affected (12)

Sap
4 products
Landscape Transformation
Landscape Transformation Replication Server
S/4hana
Test Data Migration Server
Configuration A
12 vulnerable
Vulnerable SoftwareAffected Versions
Landscape Transformation
Version 2.0
Sap
Landscape Transformation Replication Server
Version 1.0
Landscape Transformation Replication Server
Version 2.0
Landscape Transformation Replication Server
Version 3.0
Sap
S/4hana
Version 1511
S/4hana
Version 1610
S/4hana
Version 1709
S/4hana
Version 1809
S/4hana
Version 1909
S/4hana
Version 2020
S/4hana
Version 2021
Test Data Migration Server
Version 4.0

Related CWEs

CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (4)

Source: cna@sap.com
Permissions Required
Source: cna@sap.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Permissions Required
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.