CVE-2021-27626 : SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retr

SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method CMiniXMLParser::Parse() which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.

Published 2021-06-09 14:15:09

Updated 2022-10-31 14:46:40

Source SAP SE

View at NVD, CVE.org

Vulnerability category: Memory Corruption

Exploit prediction scoring system (EPSS) score for CVE-2021-27626

Probability of exploitation activity in the next 30 days: 0.12%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 45 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-27626

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
5.9	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H	2.2	3.6	SAP SE
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2021-27626

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.
Assigned by:
- cna@sap.com (Primary)
- nvd@nist.gov (Secondary)

References for CVE-2021-27626

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999

SAP Security Patch Day – June 2021 - Product Security Response at SAP - Community Wiki
Broken Link;Vendor Advisory

CVEs referencing this url
https://launchpad.support.sap.com/#/notes/3021050

SAP ONE Support Launchpad: Log On
Permissions Required;Vendor Advisory

CVEs referencing this url

Products affected by CVE-2021-27626

SAP » Netweaver As Internet Graphics Server » Version: 7.20
cpe:2.3:a:sap:netweaver_as_internet_graphics_server:7.20:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver As Internet Graphics Server » Version: 7.20ex2
cpe:2.3:a:sap:netweaver_as_internet_graphics_server:7.20ex2:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver As Internet Graphics Server » Version: 7.20ext
cpe:2.3:a:sap:netweaver_as_internet_graphics_server:7.20ext:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver As Internet Graphics Server » Version: 7.53
cpe:2.3:a:sap:netweaver_as_internet_graphics_server:7.53:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver As Internet Graphics Server » Version: 7.81
cpe:2.3:a:sap:netweaver_as_internet_graphics_server:7.81:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2021-27626

Exploit prediction scoring system (EPSS) score for CVE-2021-27626

CVSS scores for CVE-2021-27626

CWE ids for CVE-2021-27626

References for CVE-2021-27626

Products affected by CVE-2021-27626