CVE-2021-44232 : SAF-T Framework Transaction SAFTN_G allows an attacker to exploit insufficient v

SAF-T Framework Transaction SAFTN_G allows an attacker to exploit insufficient validation of path information provided by normal user, leading to full server directory access. The attacker can see the whole filesystem structure but cannot overwrite, delete, or corrupt arbitrary files on the server.

Published 2021-12-14 16:15:10

Updated 2021-12-22 15:17:34

Source SAP SE

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2021-44232

SAP » Saf-t Framework » Version: 103
cpe:2.3:a:sap:saf-t_framework:103:*:*:*:*:*:*:*
Matching versions
SAP » Saf-t Framework » Version: 104
cpe:2.3:a:sap:saf-t_framework:104:*:*:*:*:*:*:*
Matching versions
SAP » Saf-t Framework » Version: 105
cpe:2.3:a:sap:saf-t_framework:105:*:*:*:*:*:*:*
Matching versions
SAP » Saf-t Framework » Version: 602
cpe:2.3:a:sap:saf-t_framework:602:*:*:*:*:*:*:*
Matching versions
SAP » Saf-t Framework » Version: 603
cpe:2.3:a:sap:saf-t_framework:603:*:*:*:*:*:*:*
Matching versions
SAP » Saf-t Framework » Version: 604
cpe:2.3:a:sap:saf-t_framework:604:*:*:*:*:*:*:*
Matching versions
SAP » Saf-t Framework » Version: 605
cpe:2.3:a:sap:saf-t_framework:605:*:*:*:*:*:*:*
Matching versions
SAP » Saf-t Framework » Version: 606
cpe:2.3:a:sap:saf-t_framework:606:*:*:*:*:*:*:*
Matching versions
SAP » Saf-t Framework » Version: 618
cpe:2.3:a:sap:saf-t_framework:618:*:*:*:*:*:*:*
Matching versions
SAP » Saf-t Framework » Version: 720
cpe:2.3:a:sap:saf-t_framework:720:*:*:*:*:*:*:*
Matching versions
SAP » Saf-t Framework » Version: 730
cpe:2.3:a:sap:saf-t_framework:730:*:*:*:*:*:*:*
Matching versions
SAP » Saf-t Framework » Version: S4core 102
cpe:2.3:a:sap:saf-t_framework:s4core_102:*:*:*:*:*:*:*
Matching versions
SAP » Saf-t Framework » Version: Sap Appl 600
cpe:2.3:a:sap:saf-t_framework:sap_appl_600:*:*:*:*:*:*:*
Matching versions
SAP » Saf-t Framework » Version: Sap Fin 617
cpe:2.3:a:sap:saf-t_framework:sap_fin_617:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-44232

EPSS FAQ

0.47%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 62 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-44232

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
7.7	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N	3.1	4.0	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2021-44232

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-44232

https://launchpad.support.sap.com/#/notes/3124094

SAP ONE Support Launchpad: Log On
Vendor Advisory
https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021

SAP Security Patch Day - December 2021 - Product Security Response at SAP - Community Wiki
Permissions Required;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-44232

Products affected by CVE-2021-44232

Exploit prediction scoring system (EPSS) score for CVE-2021-44232

CVSS scores for CVE-2021-44232

CWE ids for CVE-2021-44232

References for CVE-2021-44232