CVE-2021-38176
CVSS V2 High 9
CVSS V3 High 8.8
Description
Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.
Overview
- CVE ID
- CVE-2021-38176
- Assigner
- cna@sap.com
- Vulnerability Status
- Analyzed
- Published Version
- 2021-09-14T12:15:11
- Last Modified Date
- 2022-07-12T17:42:04
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:sap:landscape_transformation:2.0:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:sap:landscape_transformation_replication_server:1.0:*:*:*:*:s\/4hana:*:* | 1 | OR | ||
| cpe:2.3:a:sap:landscape_transformation_replication_server:2.0:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:sap:landscape_transformation_replication_server:3.0:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:sap:s\/4hana:1511:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:sap:s\/4hana:1610:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:sap:s\/4hana:1709:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:sap:s\/4hana:1809:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:sap:s\/4hana:1909:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:sap:s\/4hana:2020:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:sap:s\/4hana:2021:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:sap:test_data_migration_server:4.0:*:*:*:*:*:*:* | 1 | OR |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:L/Au:S/C:C/I:C/A:C
- Access Vector
- NETWORK
- Access Compatibility
- LOW
- Authentication
- SINGLE
- Confidentiality Impact
- COMPLETE
- Integrity Impact
- COMPLETE
- Availability Impact
- COMPLETE
- Base Score
- 9
- Severity
- HIGH
- Exploitability Score
- 8
- Impact Score
- 10
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- HIGH
- Base Score
- 8.8
- Base Severity
- HIGH
- Exploitability Score
- 2.8
- Impact Score
- 5.9
References
| Reference URL | Reference Tags |
|---|---|
| https://launchpad.support.sap.com/#/notes/3089831 | Permissions Required |
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405 | Vendor Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2021-38176 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38176 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 06:42:58 | Added to TrackCVE | |||
| 2022-12-05 10:31:53 | 2021-09-14T12:15Z | 2021-09-14T12:15:11 | CVE Published Date | updated |
| 2022-12-05 10:31:53 | 2022-07-12T17:42:04 | CVE Modified Date | updated | |
| 2022-12-05 10:31:53 | Analyzed | Vulnerability Status | updated |