Vulnerability Details : CVE-2021-21468
Potential exploit
The BW Database Interface does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges that allows the user to practically read out any database table.
Products affected by CVE-2021-21468
- cpe:2.3:a:sap:business_warehouse:711:*:*:*:*:*:*:*
- cpe:2.3:a:sap:business_warehouse:730:*:*:*:*:*:*:*
- cpe:2.3:a:sap:business_warehouse:731:*:*:*:*:*:*:*
- cpe:2.3:a:sap:business_warehouse:740:*:*:*:*:*:*:*
- cpe:2.3:a:sap:business_warehouse:750:*:*:*:*:*:*:*
- cpe:2.3:a:sap:business_warehouse:782:*:*:*:*:*:*:*
- cpe:2.3:a:sap:business_warehouse:710:*:*:*:*:*:*:*
- cpe:2.3:a:sap:business_warehouse:751:*:*:*:*:*:*:*
- cpe:2.3:a:sap:business_warehouse:752:*:*:*:*:*:*:*
- cpe:2.3:a:sap:business_warehouse:753:*:*:*:*:*:*:*
- cpe:2.3:a:sap:business_warehouse:754:*:*:*:*:*:*:*
- cpe:2.3:a:sap:business_warehouse:755:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-21468
0.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 65 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-21468
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
|
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
SAP SE | |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2021-21468
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-21468
-
http://seclists.org/fulldisclosure/2022/May/42
Full Disclosure: SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP® Application Server, ABAP and ABAP® Platform (Different Software Components)Exploit;Mailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html
SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://launchpad.support.sap.com/#/notes/2986980
SAP ONE Support Launchpad: Log OnPermissions Required;Vendor Advisory
-
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476
SAP Security Patch Day – January 2021 - Product Security Response at SAP - Community WikiVendor Advisory
Jump to