Vulnerability Details : CVE-2021-40496
SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an attacker with logon functionality, to exploit the authentication function by using POST and form field to repeat executions of the initial command by a GET request and exposing sensitive data. This vulnerability is normally exposed over the network and successful exploitation can lead to exposure of data like system details.
Products affected by CVE-2021-40496
- cpe:2.3:a:sap:netweaver_abap:700:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_abap:701:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_abap:702:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_abap:731:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_abap:740:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_abap:750:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_abap:751:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_abap:752:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_abap:753:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_abap:754:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_abap:755:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_abap:730:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_abap:756:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_abap:785:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:785:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-40496
0.42%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 59 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-40496
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
NIST |
CWE ids for CVE-2021-40496
-
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Assigned by:
- cna@sap.com (Primary)
- nvd@nist.gov (Secondary)
References for CVE-2021-40496
-
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983
SAP Security Patch Day – October 2021 - Product Security Response at SAP - Community WikiVendor Advisory
-
https://launchpad.support.sap.com/#/notes/3087254
SAP ONE Support Launchpad: Log OnPermissions Required;Vendor Advisory
Jump to