Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2021-AVI-440
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une élévation de privilèges.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SAP | N/A | SAP NetWeaver AS for ABAP (RFC Gateway) versions KRNL32NUC - 7.22, 7.22EXT, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC - 8.04, 7.22, 7.22EXT, 7.49, 7.53, 7.73, KERNEL - 7.22, 8.04, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82 et 7.83 | ||
| SAP | N/A | SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML) versions KRNL64NUC - 7.49, KRNL64UC - 7.49, 7.53, KERNEL - 7.49, 7.53, 7.77, 7.81 et 7.84 | ||
| SAP | N/A | SAP NetWeaver AS ABAP et ABAP Platform (SRM_RFC_SUBMIT_REPORT) versions 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754 et 755 | ||
| SAP | N/A | SAP NetWeaver AS ABAP versions KRNL32NUC - 7.22, 7.22EXT, KRNL32UC - 7.22, 7.22EXT, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC - 8.04, 7.22, 7.22EXT, 7.49, 7.53, 7.73, KERNEL - 7.22, 8.04, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83 et 7.84 | ||
| SAP | N/A | SAP NetWeaver AS for ABAP (Web Survey) versions 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A et 75F | ||
| SAP | N/A | SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP) versions SAP_UI – 750, 752, 753, 754, 755, SAP_BASIS – 702, 31 | ||
| SAP | N/A | SAP NetWeaver AS ABAP and ABAP Platform versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755 et 804 | ||
| SAP | N/A | SAP NetWeaver ABAP Server et ABAP Platform (Enqueue Server) versions KRNL32NUC - 7.22, 7.22EXT, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC - 8.04, 7.22, 7.22EXT, 7.49, 7.53, 7.73, KERNEL - 7.22, 8.04, 7.49, 7.53 et 7.73 | ||
| SAP | N/A | SAP Business One version 10.0 | ||
| SAP | Commerce Cloud | SAP Commerce Cloud version 100 | ||
| SAP | N/A | SAP 3D Visual Enterprise Viewer version 9 | ||
| SAP | N/A | SAP Commerce versions 1808, 1811, 1905, 2005 et 2011 | ||
| SAP | N/A | SAP Fiori Apps 2.0 for Travel Management in SAP ERP version 608 | ||
| SAP | N/A | SAP NetWeaver AS for Java (UserAdmin) versions 7.11,7.20,7.30,7.31,7.40 et 7.50 | ||
| SAP | N/A | SAP NetWeaver AS for JAVA versions 7.20, 7.30, 7.31, 7.40 et 7.50 | ||
| SAP | N/A | SAP Manufacturing Execution versions 15.1, 1.5.2, 15.3 et 15.4 | ||
| SAP | N/A | SAP NetWeaver ABAP Server et ABAP Platform (Dispatcher) versions KRNL32NUC - 7.22, 7.22EXT, KRNL32UC - 7.22, 7.22EXT, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC - 8.04, 7.22, 7.22EXT, 7.49, 7.53, 7.73, KERNEL - 7.22, 8.04, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82 et 7.83 | ||
| SAP | N/A | SAP Enable Now (SAP Workforce Performance Builder - Manager) versions 10.0 et 1.0 | ||
| SAP | N/A | SAP NetWeaver AS (Internet Graphics Server – Portwatcher) versions 7.20, 7.20EXT, 7.53, 7.20_EX2 et 7.81 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SAP NetWeaver AS for ABAP (RFC Gateway) versions KRNL32NUC - 7.22, 7.22EXT, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC - 8.04, 7.22, 7.22EXT, 7.49, 7.53, 7.73, KERNEL - 7.22, 8.04, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82 et 7.83",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML) versions KRNL64NUC - 7.49, KRNL64UC - 7.49, 7.53, KERNEL - 7.49, 7.53, 7.77, 7.81 et 7.84",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP NetWeaver AS ABAP et ABAP Platform (SRM_RFC_SUBMIT_REPORT) versions 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754 et 755",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP NetWeaver AS ABAP versions KRNL32NUC - 7.22, 7.22EXT, KRNL32UC - 7.22, 7.22EXT, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC - 8.04, 7.22, 7.22EXT, 7.49, 7.53, 7.73, KERNEL - 7.22, 8.04, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83 et 7.84",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP NetWeaver AS for ABAP (Web Survey) versions 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A et 75F",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP) versions SAP_UI \u2013 750, 752, 753, 754, 755, SAP_BASIS \u2013 702, 31",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP NetWeaver AS ABAP and ABAP Platform versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755 et 804",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP NetWeaver ABAP Server et ABAP Platform (Enqueue Server) versions KRNL32NUC - 7.22, 7.22EXT, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC - 8.04, 7.22, 7.22EXT, 7.49, 7.53, 7.73, KERNEL - 7.22, 8.04, 7.49, 7.53 et 7.73",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP Business One version 10.0",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP Commerce Cloud version 100",
"product": {
"name": "Commerce Cloud",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP 3D Visual Enterprise Viewer version 9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP Commerce versions 1808, 1811, 1905, 2005 et 2011",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP Fiori Apps 2.0 for Travel Management in SAP ERP version 608",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP NetWeaver AS for Java (UserAdmin) versions 7.11,7.20,7.30,7.31,7.40 et 7.50",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP NetWeaver AS for JAVA versions 7.20, 7.30, 7.31, 7.40 et 7.50",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP Manufacturing Execution versions 15.1, 1.5.2, 15.3 et 15.4",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP NetWeaver ABAP Server et ABAP Platform (Dispatcher) versions KRNL32NUC - 7.22, 7.22EXT, KRNL32UC - 7.22, 7.22EXT, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC - 8.04, 7.22, 7.22EXT, 7.49, 7.53, 7.73, KERNEL - 7.22, 8.04, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82 et 7.83",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP Enable Now (SAP Workforce Performance Builder - Manager) versions 10.0 et 1.0",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP NetWeaver AS (Internet Graphics Server \u2013 Portwatcher) versions 7.20, 7.20EXT, 7.53, 7.20_EX2 et 7.81",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-27606",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27606"
},
{
"name": "CVE-2021-27610",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27610"
},
{
"name": "CVE-2021-27639",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27639"
},
{
"name": "CVE-2021-27631",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27631"
},
{
"name": "CVE-2021-27624",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27624"
},
{
"name": "CVE-2021-33666",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33666"
},
{
"name": "CVE-2021-27627",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27627"
},
{
"name": "CVE-2021-27638",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27638"
},
{
"name": "CVE-2021-27607",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27607"
},
{
"name": "CVE-2021-27625",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27625"
},
{
"name": "CVE-2021-27634",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27634"
},
{
"name": "CVE-2021-27642",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27642"
},
{
"name": "CVE-2021-27628",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27628"
},
{
"name": "CVE-2021-27641",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27641"
},
{
"name": "CVE-2021-27620",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27620"
},
{
"name": "CVE-2021-33661",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33661"
},
{
"name": "CVE-2021-27630",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27630"
},
{
"name": "CVE-2021-33659",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33659"
},
{
"name": "CVE-2021-27637",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27637"
},
{
"name": "CVE-2021-27623",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27623"
},
{
"name": "CVE-2021-33662",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33662"
},
{
"name": "CVE-2021-27629",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27629"
},
{
"name": "CVE-2021-27632",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27632"
},
{
"name": "CVE-2021-27633",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27633"
},
{
"name": "CVE-2021-33664",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33664"
},
{
"name": "CVE-2021-21490",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21490"
},
{
"name": "CVE-2021-27643",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27643"
},
{
"name": "CVE-2021-27597",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27597"
},
{
"name": "CVE-2021-33665",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33665"
},
{
"name": "CVE-2021-27615",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27615"
},
{
"name": "CVE-2021-33663",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33663"
},
{
"name": "CVE-2021-27635",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27635"
},
{
"name": "CVE-2021-33660",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33660"
},
{
"name": "CVE-2021-27605",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27605"
},
{
"name": "CVE-2021-27626",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27626"
},
{
"name": "CVE-2021-27621",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27621"
},
{
"name": "CVE-2021-27622",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27622"
},
{
"name": "CVE-2021-21473",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21473"
},
{
"name": "CVE-2021-27640",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27640"
},
{
"name": "CVE-2021-27602",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27602"
}
],
"initial_release_date": "2021-06-08T00:00:00",
"last_revision_date": "2021-06-08T00:00:00",
"links": [],
"reference": "CERTFR-2021-AVI-440",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-06-08T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un contournement de la\npolitique de s\u00e9curit\u00e9 et une \u00e9l\u00e9vation de privil\u00e8ges.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 SAP du 08 juin 2021",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
}
]
}
CVE-2021-27605 (GCVE-0-2021-27605)
Vulnerability from cvelistv5
Published
2021-04-13 18:44
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Missing Authorization
Summary
SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Fiori Apps 2.0 for Travel Management in SAP ERP |
Version: < 608 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.200Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3025054"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Fiori Apps 2.0 for Travel Management in SAP ERP",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 608"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP\u0027s HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing Authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-13T18:44:13",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3025054"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-27605",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Fiori Apps 2.0 for Travel Management in SAP ERP",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "608"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP\u0027s HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted."
}
]
},
"impact": {
"cvss": {
"baseScore": "4.3",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3025054",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3025054"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27605",
"datePublished": "2021-04-13T18:44:13",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27623 (GCVE-0-2021-27623)
Vulnerability from cvelistv5
Published
2021-06-09 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-787 - Improper Input Validation ()
Summary
SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method CXmlUtility::CheckLength() which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Internet Graphics Service |
Version: < 7.20 Version: < 7.20EXT Version: < 7.53 Version: < 7.20_EX2 Version: < 7.81 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.260Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3021050"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Internet Graphics Service",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 7.20"
},
{
"status": "affected",
"version": "\u003c 7.20EXT"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.20_EX2"
},
{
"status": "affected",
"version": "\u003c 7.81"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method CXmlUtility::CheckLength() which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Improper Input Validation (CWE-787)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3021050"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27623",
"datePublished": "2021-06-09T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27639 (GCVE-0-2021-27639)
Vulnerability from cvelistv5
Published
2021-06-09 13:30
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Input Validation
Summary
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated JT file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP 3D Visual Enterprise Viewer |
Version: < 9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.618Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP 3D Visual Enterprise Viewer",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated JT file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:30:39",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-27639",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP 3D Visual Enterprise Viewer",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "9"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated JT file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
]
},
"impact": {
"cvss": {
"baseScore": "4.3",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3059999",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27639",
"datePublished": "2021-06-09T13:30:39",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27641 (GCVE-0-2021-27641)
Vulnerability from cvelistv5
Published
2021-06-09 13:31
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Input Validation
Summary
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated TIF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP 3D Visual Enterprise Viewer |
Version: < 9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.593Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP 3D Visual Enterprise Viewer",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated TIF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:31:41",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-27641",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP 3D Visual Enterprise Viewer",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "9"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated TIF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
]
},
"impact": {
"cvss": {
"baseScore": "4.3",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3059999",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27641",
"datePublished": "2021-06-09T13:31:41",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27632 (GCVE-0-2021-27632)
Vulnerability from cvelistv5
Published
2021-06-09 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-476 - Improper Input Validation ()
Summary
SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EnqConvUniToSrvReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server) |
Version: < KRNL32NUC - 7.22 Version: < 7.22EXT Version: < KRNL64NUC - 7.22 Version: < 7.49 Version: < KRNL64UC - 8.04 Version: < 7.22 Version: < 7.53 Version: < 7.73 Version: < KERNEL - 7.22 Version: < 8.04 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.255Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3020104"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c KRNL32NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.22EXT"
},
{
"status": "affected",
"version": "\u003c KRNL64NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.49"
},
{
"status": "affected",
"version": "\u003c KRNL64UC - 8.04"
},
{
"status": "affected",
"version": "\u003c 7.22"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.73"
},
{
"status": "affected",
"version": "\u003c KERNEL - 7.22"
},
{
"status": "affected",
"version": "\u003c 8.04"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EnqConvUniToSrvReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "Improper Input Validation (CWE-476)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3020104"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27632",
"datePublished": "2021-06-09T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27631 (GCVE-0-2021-27631)
Vulnerability from cvelistv5
Published
2021-06-09 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-476 - Improper Input Validation ()
Summary
SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EnqConvUniToSrvReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server) |
Version: < KRNL32NUC - 7.22 Version: < 7.22EXT Version: < KRNL64NUC - 7.22 Version: < 7.49 Version: < KRNL64UC - 8.04 Version: < 7.22 Version: < 7.53 Version: < 7.73 Version: < KERNEL - 7.22 Version: < 8.04 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.401Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3020104"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c KRNL32NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.22EXT"
},
{
"status": "affected",
"version": "\u003c KRNL64NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.49"
},
{
"status": "affected",
"version": "\u003c KRNL64UC - 8.04"
},
{
"status": "affected",
"version": "\u003c 7.22"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.73"
},
{
"status": "affected",
"version": "\u003c KERNEL - 7.22"
},
{
"status": "affected",
"version": "\u003c 8.04"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EnqConvUniToSrvReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "Improper Input Validation (CWE-476)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3020104"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27631",
"datePublished": "2021-06-09T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21490 (GCVE-0-2021-21490)
Vulnerability from cvelistv5
Published
2021-06-09 13:23
Modified
2024-08-03 18:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross Site Scripting
Summary
SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS for ABAP (Web Survey) |
Version: < 700 Version: < 702 Version: < 710 Version: < 711 Version: < 730 Version: < 731 Version: < 750 Version: < 752 Version: < 75A Version: < 75F |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:16:22.657Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3004043"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver AS for ABAP (Web Survey)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 700"
},
{
"status": "affected",
"version": "\u003c 702"
},
{
"status": "affected",
"version": "\u003c 710"
},
{
"status": "affected",
"version": "\u003c 711"
},
{
"status": "affected",
"version": "\u003c 730"
},
{
"status": "affected",
"version": "\u003c 731"
},
{
"status": "affected",
"version": "\u003c 750"
},
{
"status": "affected",
"version": "\u003c 752"
},
{
"status": "affected",
"version": "\u003c 75A"
},
{
"status": "affected",
"version": "\u003c 75F"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:23:40",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3004043"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-21490",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP NetWeaver AS for ABAP (Web Survey)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "700"
},
{
"version_name": "\u003c",
"version_value": "702"
},
{
"version_name": "\u003c",
"version_value": "710"
},
{
"version_name": "\u003c",
"version_value": "711"
},
{
"version_name": "\u003c",
"version_value": "730"
},
{
"version_name": "\u003c",
"version_value": "731"
},
{
"version_name": "\u003c",
"version_value": "750"
},
{
"version_name": "\u003c",
"version_value": "750"
},
{
"version_name": "\u003c",
"version_value": "752"
},
{
"version_name": "\u003c",
"version_value": "75A"
},
{
"version_name": "\u003c",
"version_value": "75F"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user."
}
]
},
"impact": {
"cvss": {
"baseScore": "6.1",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.support.sap.com/#/notes/3004043",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3004043"
},
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-21490",
"datePublished": "2021-06-09T13:23:40",
"dateReserved": "2020-12-30T00:00:00",
"dateUpdated": "2024-08-03T18:16:22.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27622 (GCVE-0-2021-27622)
Vulnerability from cvelistv5
Published
2021-06-09 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-787 - Improper Input Validation ()
Summary
SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method CDrawRaster::LoadImageFromMemory() which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Internet Graphics Service |
Version: < 7.20 Version: < 7.20EXT Version: < 7.53 Version: < 7.20_EX2 Version: < 7.81 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.294Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3021050"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Internet Graphics Service",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 7.20"
},
{
"status": "affected",
"version": "\u003c 7.20EXT"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.20_EX2"
},
{
"status": "affected",
"version": "\u003c 7.81"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method CDrawRaster::LoadImageFromMemory() which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Improper Input Validation (CWE-787)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3021050"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27622",
"datePublished": "2021-06-09T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27602 (GCVE-0-2021-27602)
Vulnerability from cvelistv5
Published
2021-04-13 18:41
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Code Injection
Summary
SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Commerce |
Version: < 1808 Version: < 1811 Version: < 1905 Version: < 2005 Version: < 2011 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.373Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3040210"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Commerce",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1808"
},
{
"status": "affected",
"version": "\u003c 1811"
},
{
"status": "affected",
"version": "\u003c 1905"
},
{
"status": "affected",
"version": "\u003c 2005"
},
{
"status": "affected",
"version": "\u003c 2011"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Code Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-13T18:41:24",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3040210"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-27602",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Commerce",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1808"
},
{
"version_name": "\u003c",
"version_value": "1811"
},
{
"version_name": "\u003c",
"version_value": "1905"
},
{
"version_name": "\u003c",
"version_value": "2005"
},
{
"version_name": "\u003c",
"version_value": "2011"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application."
}
]
},
"impact": {
"cvss": {
"baseScore": "9.9",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Code Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3040210",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3040210"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27602",
"datePublished": "2021-04-13T18:41:24",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33665 (GCVE-0-2021-33665)
Vulnerability from cvelistv5
Published
2021-06-09 13:33
Modified
2024-08-03 23:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross Site Scripting
Summary
SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML) |
Version: < KRNL64NUC - 7.49 Version: < KRNL64UC - 7.49 Version: < 7.53 Version: < KERNEL - 7.49 Version: < 7.77 Version: < 7.81 Version: < 7.84 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:21.921Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3028370"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c KRNL64NUC - 7.49"
},
{
"status": "affected",
"version": "\u003c KRNL64UC - 7.49"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c KERNEL - 7.49"
},
{
"status": "affected",
"version": "\u003c 7.77"
},
{
"status": "affected",
"version": "\u003c 7.81"
},
{
"status": "affected",
"version": "\u003c 7.84"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:33:13",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3028370"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-33665",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "KRNL64NUC - 7.49"
},
{
"version_name": "\u003c",
"version_value": "KRNL64UC - 7.49"
},
{
"version_name": "\u003c",
"version_value": "7.53"
},
{
"version_name": "\u003c",
"version_value": "KERNEL - 7.49"
},
{
"version_name": "\u003c",
"version_value": "7.53"
},
{
"version_name": "\u003c",
"version_value": "7.77"
},
{
"version_name": "\u003c",
"version_value": "7.81"
},
{
"version_name": "\u003c",
"version_value": "7.84"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
]
},
"impact": {
"cvss": {
"baseScore": "5.4",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3028370",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3028370"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-33665",
"datePublished": "2021-06-09T13:33:13",
"dateReserved": "2021-05-28T00:00:00",
"dateUpdated": "2024-08-03T23:58:21.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27607 (GCVE-0-2021-27607)
Vulnerability from cvelistv5
Published
2021-06-09 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-476 - Improper Input Validation ()
Summary
SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher), versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method ThSncIn() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher) |
Version: < KRNL32NUC - 7.22 Version: < 7.22EXT Version: < KRNL32UC - 7.22 Version: < KRNL64NUC - 7.22 Version: < 7.49 Version: < KRNL64UC - 8.04 Version: < 7.22 Version: < 7.53 Version: < 7.73 Version: < KERNEL - 7.22 Version: < 8.04 Version: < 7.77 Version: < 7.81 Version: < 7.82 Version: < 7.83 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:09.719Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3021197"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c KRNL32NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.22EXT"
},
{
"status": "affected",
"version": "\u003c KRNL32UC - 7.22"
},
{
"status": "affected",
"version": "\u003c KRNL64NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.49"
},
{
"status": "affected",
"version": "\u003c KRNL64UC - 8.04"
},
{
"status": "affected",
"version": "\u003c 7.22"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.73"
},
{
"status": "affected",
"version": "\u003c KERNEL - 7.22"
},
{
"status": "affected",
"version": "\u003c 8.04"
},
{
"status": "affected",
"version": "\u003c 7.77"
},
{
"status": "affected",
"version": "\u003c 7.81"
},
{
"status": "affected",
"version": "\u003c 7.82"
},
{
"status": "affected",
"version": "\u003c 7.83"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher), versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method ThSncIn() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "Improper Input Validation (CWE-476)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3021197"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27607",
"datePublished": "2021-06-09T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:09.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27625 (GCVE-0-2021-27625)
Vulnerability from cvelistv5
Published
2021-06-09 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-787 - Improper Input Validation ()
Summary
SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method IgsData::freeMemory() which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Internet Graphics Service |
Version: < 7.20 Version: < 7.20EXT Version: < 7.53 Version: < 7.20_EX2 Version: < 7.81 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3021050"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Internet Graphics Service",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 7.20"
},
{
"status": "affected",
"version": "\u003c 7.20EXT"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.20_EX2"
},
{
"status": "affected",
"version": "\u003c 7.81"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method IgsData::freeMemory() which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Improper Input Validation (CWE-787)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3021050"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27625",
"datePublished": "2021-06-09T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27630 (GCVE-0-2021-27630)
Vulnerability from cvelistv5
Published
2021-06-09 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-476 - Improper Input Validation ()
Summary
SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EnqConvUniToSrvReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server) |
Version: < KRNL32NUC - 7.22 Version: < 7.22EXT Version: < KRNL64NUC - 7.22 Version: < 7.49 Version: < KRNL64UC - 8.04 Version: < 7.22 Version: < 7.53 Version: < 7.73 Version: < KERNEL - 7.22 Version: < 8.04 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.220Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3020104"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c KRNL32NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.22EXT"
},
{
"status": "affected",
"version": "\u003c KRNL64NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.49"
},
{
"status": "affected",
"version": "\u003c KRNL64UC - 8.04"
},
{
"status": "affected",
"version": "\u003c 7.22"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.73"
},
{
"status": "affected",
"version": "\u003c KERNEL - 7.22"
},
{
"status": "affected",
"version": "\u003c 8.04"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EnqConvUniToSrvReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "Improper Input Validation (CWE-476)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3020104"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27630",
"datePublished": "2021-06-09T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27633 (GCVE-0-2021-27633)
Vulnerability from cvelistv5
Published
2021-06-09 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-787 - Improper Input Validation ()
Summary
SAP NetWeaver AS for ABAP (RFC Gateway), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method ThCPIC() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS for ABAP (RFC Gateway) |
Version: < KRNL32NUC - 7.22 Version: < 7.22EXT Version: < KRNL64NUC - 7.22 Version: < 7.49 Version: < KRNL64UC - 8.04 Version: < 7.22 Version: < 7.53 Version: < 7.73 Version: < KERNEL - 7.22 Version: < 8.04 Version: < 7.77 Version: < 7.81 Version: < 7.82 Version: < 7.83 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3020209"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver AS for ABAP (RFC Gateway)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c KRNL32NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.22EXT"
},
{
"status": "affected",
"version": "\u003c KRNL64NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.49"
},
{
"status": "affected",
"version": "\u003c KRNL64UC - 8.04"
},
{
"status": "affected",
"version": "\u003c 7.22"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.73"
},
{
"status": "affected",
"version": "\u003c KERNEL - 7.22"
},
{
"status": "affected",
"version": "\u003c 8.04"
},
{
"status": "affected",
"version": "\u003c 7.77"
},
{
"status": "affected",
"version": "\u003c 7.81"
},
{
"status": "affected",
"version": "\u003c 7.82"
},
{
"status": "affected",
"version": "\u003c 7.83"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver AS for ABAP (RFC Gateway), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method ThCPIC() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Improper Input Validation (CWE-787)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3020209"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27633",
"datePublished": "2021-06-09T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27621 (GCVE-0-2021-27621)
Vulnerability from cvelistv5
Published
2021-06-09 13:25
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
Summary
Information Disclosure vulnerability in UserAdmin application in SAP NetWeaver Application Server for Java, versions - 7.11,7.20,7.30,7.31,7.40 and 7.50 allows attackers to access restricted information by entering malicious server name.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS for Java (UserAdmin) |
Version: < 7.11 Version: < 7.20 Version: < 7.30 Version: < 7.31 Version: < 7.40 Version: < 7.50 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.597Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3023299"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver AS for Java (UserAdmin)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 7.11"
},
{
"status": "affected",
"version": "\u003c 7.20"
},
{
"status": "affected",
"version": "\u003c 7.30"
},
{
"status": "affected",
"version": "\u003c 7.31"
},
{
"status": "affected",
"version": "\u003c 7.40"
},
{
"status": "affected",
"version": "\u003c 7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Information Disclosure vulnerability in UserAdmin application in SAP NetWeaver Application Server for Java, versions - 7.11,7.20,7.30,7.31,7.40 and 7.50 allows attackers to access restricted information by entering malicious server name."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:25:25",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3023299"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-27621",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP NetWeaver AS for Java (UserAdmin)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "7.11"
},
{
"version_name": "\u003c",
"version_value": "7.20"
},
{
"version_name": "\u003c",
"version_value": "7.30"
},
{
"version_name": "\u003c",
"version_value": "7.31"
},
{
"version_name": "\u003c",
"version_value": "7.40"
},
{
"version_name": "\u003c",
"version_value": "7.50"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Information Disclosure vulnerability in UserAdmin application in SAP NetWeaver Application Server for Java, versions - 7.11,7.20,7.30,7.31,7.40 and 7.50 allows attackers to access restricted information by entering malicious server name."
}
]
},
"impact": {
"cvss": {
"baseScore": "5.5",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3023299",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3023299"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27621",
"datePublished": "2021-06-09T13:25:25",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27642 (GCVE-0-2021-27642)
Vulnerability from cvelistv5
Published
2021-06-09 13:31
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Input Validation
Summary
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP 3D Visual Enterprise Viewer |
Version: < 9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.608Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP 3D Visual Enterprise Viewer",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:31:57",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-27642",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP 3D Visual Enterprise Viewer",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "9"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
]
},
"impact": {
"cvss": {
"baseScore": "4.3",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3059999",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27642",
"datePublished": "2021-06-09T13:31:57",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27610 (GCVE-0-2021-27610)
Vulnerability from cvelistv5
Published
2021-06-16 14:45
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Authentication
Summary
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP and ABAP Platform |
Version: < 700 Version: < 701 Version: < 702 Version: < 731 Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 Version: < 755 Version: < 804 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:09.712Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3007182"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver AS ABAP and ABAP Platform",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 700"
},
{
"status": "affected",
"version": "\u003c 701"
},
{
"status": "affected",
"version": "\u003c 702"
},
{
"status": "affected",
"version": "\u003c 731"
},
{
"status": "affected",
"version": "\u003c 740"
},
{
"status": "affected",
"version": "\u003c 750"
},
{
"status": "affected",
"version": "\u003c 751"
},
{
"status": "affected",
"version": "\u003c 752"
},
{
"status": "affected",
"version": "\u003c 753"
},
{
"status": "affected",
"version": "\u003c 754"
},
{
"status": "affected",
"version": "\u003c 755"
},
{
"status": "affected",
"version": "\u003c 804"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authentication",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-16T14:45:57",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3007182"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-27610",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP NetWeaver AS ABAP and ABAP Platform",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "700"
},
{
"version_name": "\u003c",
"version_value": "701"
},
{
"version_name": "\u003c",
"version_value": "702"
},
{
"version_name": "\u003c",
"version_value": "731"
},
{
"version_name": "\u003c",
"version_value": "740"
},
{
"version_name": "\u003c",
"version_value": "750"
},
{
"version_name": "\u003c",
"version_value": "751"
},
{
"version_name": "\u003c",
"version_value": "752"
},
{
"version_name": "\u003c",
"version_value": "753"
},
{
"version_name": "\u003c",
"version_value": "754"
},
{
"version_name": "\u003c",
"version_value": "755"
},
{
"version_name": "\u003c",
"version_value": "804"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system."
}
]
},
"impact": {
"cvss": {
"baseScore": "9.0",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3007182",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3007182"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27610",
"datePublished": "2021-06-16T14:45:57",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:09.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33659 (GCVE-0-2021-33659)
Vulnerability from cvelistv5
Published
2021-06-09 13:33
Modified
2024-08-03 23:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Input Validation
Summary
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated GIF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP 3D Visual Enterprise Viewer |
Version: < 9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:22.396Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP 3D Visual Enterprise Viewer",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated GIF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:33:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-33659",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP 3D Visual Enterprise Viewer",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "9"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated GIF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
]
},
"impact": {
"cvss": {
"baseScore": "4.3",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3059999",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-33659",
"datePublished": "2021-06-09T13:33:01",
"dateReserved": "2021-05-28T00:00:00",
"dateUpdated": "2024-08-03T23:58:22.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27643 (GCVE-0-2021-27643)
Vulnerability from cvelistv5
Published
2021-06-09 13:31
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Input Validation
Summary
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP 3D Visual Enterprise Viewer |
Version: < 9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP 3D Visual Enterprise Viewer",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:31:46",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-27643",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP 3D Visual Enterprise Viewer",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "9"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
]
},
"impact": {
"cvss": {
"baseScore": "4.3",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3059999",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27643",
"datePublished": "2021-06-09T13:31:46",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33662 (GCVE-0-2021-33662)
Vulnerability from cvelistv5
Published
2021-06-09 13:32
Modified
2024-08-03 23:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
Summary
Under certain conditions, the installation of SAP Business One, version - 10.0, discloses sensitive information on the file system allowing an attacker to access information which would otherwise be restricted.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Business One |
Version: < 10.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:22.965Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3058382"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Business One",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Under certain conditions, the installation of SAP Business One, version - 10.0, discloses sensitive information on the file system allowing an attacker to access information which would otherwise be restricted."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:32:05",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3058382"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-33662",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Business One",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "10.0"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Under certain conditions, the installation of SAP Business One, version - 10.0, discloses sensitive information on the file system allowing an attacker to access information which would otherwise be restricted."
}
]
},
"impact": {
"cvss": {
"baseScore": "6.7",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3058382",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3058382"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-33662",
"datePublished": "2021-06-09T13:32:05",
"dateReserved": "2021-05-28T00:00:00",
"dateUpdated": "2024-08-03T23:58:22.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33663 (GCVE-0-2021-33663)
Vulnerability from cvelistv5
Published
2021-06-09 13:33
Modified
2024-08-03 23:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Summary
SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthorized attacker to insert cleartext commands due to improper restriction of I/O buffering into encrypted SMTP sessions over the network which can partially impact the integrity of the application.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP |
Version: < KRNL32NUC - 7.22 Version: < 7.22EXT Version: < KRNL32UC - 7.22 Version: < KRNL64NUC - 7.22 Version: < 7.49 Version: < KRNL64UC - 8.04 Version: < 7.22 Version: < 7.53 Version: < 7.73 Version: < KERNEL - 7.22 Version: < 8.04 Version: < 7.77 Version: < 7.81 Version: < 7.82 Version: < 7.83 Version: < 7.84 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:22.262Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3030604"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver AS ABAP",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c KRNL32NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.22EXT"
},
{
"status": "affected",
"version": "\u003c KRNL32UC - 7.22"
},
{
"status": "affected",
"version": "\u003c KRNL64NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.49"
},
{
"status": "affected",
"version": "\u003c KRNL64UC - 8.04"
},
{
"status": "affected",
"version": "\u003c 7.22"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.73"
},
{
"status": "affected",
"version": "\u003c KERNEL - 7.22"
},
{
"status": "affected",
"version": "\u003c 8.04"
},
{
"status": "affected",
"version": "\u003c 7.77"
},
{
"status": "affected",
"version": "\u003c 7.81"
},
{
"status": "affected",
"version": "\u003c 7.82"
},
{
"status": "affected",
"version": "\u003c 7.83"
},
{
"status": "affected",
"version": "\u003c 7.84"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthorized attacker to insert cleartext commands due to improper restriction of I/O buffering into encrypted SMTP sessions over the network which can partially impact the integrity of the application."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:33:06",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3030604"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-33663",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP NetWeaver AS ABAP",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "KRNL32NUC - 7.22"
},
{
"version_name": "\u003c",
"version_value": "7.22EXT"
},
{
"version_name": "\u003c",
"version_value": "KRNL32UC - 7.22"
},
{
"version_name": "\u003c",
"version_value": "7.22EXT"
},
{
"version_name": "\u003c",
"version_value": "KRNL64NUC - 7.22"
},
{
"version_name": "\u003c",
"version_value": "7.22EXT"
},
{
"version_name": "\u003c",
"version_value": "7.49"
},
{
"version_name": "\u003c",
"version_value": "KRNL64UC - 8.04"
},
{
"version_name": "\u003c",
"version_value": "7.22"
},
{
"version_name": "\u003c",
"version_value": "7.22EXT"
},
{
"version_name": "\u003c",
"version_value": "7.49"
},
{
"version_name": "\u003c",
"version_value": "7.53"
},
{
"version_name": "\u003c",
"version_value": "7.73"
},
{
"version_name": "\u003c",
"version_value": "KERNEL - 7.22"
},
{
"version_name": "\u003c",
"version_value": "8.04"
},
{
"version_name": "\u003c",
"version_value": "7.49"
},
{
"version_name": "\u003c",
"version_value": "7.53"
},
{
"version_name": "\u003c",
"version_value": "7.73"
},
{
"version_name": "\u003c",
"version_value": "7.77"
},
{
"version_name": "\u003c",
"version_value": "7.81"
},
{
"version_name": "\u003c",
"version_value": "7.82"
},
{
"version_name": "\u003c",
"version_value": "7.83"
},
{
"version_name": "\u003c",
"version_value": "7.84"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthorized attacker to insert cleartext commands due to improper restriction of I/O buffering into encrypted SMTP sessions over the network which can partially impact the integrity of the application."
}
]
},
"impact": {
"cvss": {
"baseScore": "5.8",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3030604",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3030604"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-33663",
"datePublished": "2021-06-09T13:33:06",
"dateReserved": "2021-05-28T00:00:00",
"dateUpdated": "2024-08-03T23:58:22.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27634 (GCVE-0-2021-27634)
Vulnerability from cvelistv5
Published
2021-06-09 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-787 - Improper Input Validation ()
Summary
SAP NetWeaver AS for ABAP (RFC Gateway), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method ThCpicDtCreate () causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS for ABAP (RFC Gateway) |
Version: < KRNL32NUC - 7.22 Version: < 7.22EXT Version: < KRNL64NUC - 7.22 Version: < 7.49 Version: < KRNL64UC - 8.04 Version: < 7.22 Version: < 7.53 Version: < 7.73 Version: < KERNEL - 7.22 Version: < 8.04 Version: < 7.77 Version: < 7.81 Version: < 7.82 Version: < 7.83 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.595Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3020209"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver AS for ABAP (RFC Gateway)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c KRNL32NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.22EXT"
},
{
"status": "affected",
"version": "\u003c KRNL64NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.49"
},
{
"status": "affected",
"version": "\u003c KRNL64UC - 8.04"
},
{
"status": "affected",
"version": "\u003c 7.22"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.73"
},
{
"status": "affected",
"version": "\u003c KERNEL - 7.22"
},
{
"status": "affected",
"version": "\u003c 8.04"
},
{
"status": "affected",
"version": "\u003c 7.77"
},
{
"status": "affected",
"version": "\u003c 7.81"
},
{
"status": "affected",
"version": "\u003c 7.82"
},
{
"status": "affected",
"version": "\u003c 7.83"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver AS for ABAP (RFC Gateway), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method ThCpicDtCreate () causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Improper Input Validation (CWE-787)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3020209"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27634",
"datePublished": "2021-06-09T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27627 (GCVE-0-2021-27627)
Vulnerability from cvelistv5
Published
2021-06-09 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-787 - Improper Input Validation ()
Summary
SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method ChartInterpreter::DoIt() which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Internet Graphics Service |
Version: < 7.20 Version: < 7.20EXT Version: < 7.53 Version: < 7.20_EX2 Version: < 7.81 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3021050"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Internet Graphics Service",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 7.20"
},
{
"status": "affected",
"version": "\u003c 7.20EXT"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.20_EX2"
},
{
"status": "affected",
"version": "\u003c 7.81"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method ChartInterpreter::DoIt() which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Improper Input Validation (CWE-787)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3021050"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27627",
"datePublished": "2021-06-09T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27628 (GCVE-0-2021-27628)
Vulnerability from cvelistv5
Published
2021-06-09 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-787 - Improper Input Validation ()
Summary
SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher), versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method DpRTmPrepareReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher) |
Version: < KRNL32NUC - 7.22 Version: < 7.22EXT Version: < KRNL32UC - 7.22 Version: < KRNL64NUC - 7.22 Version: < 7.49 Version: < KRNL64UC - 8.04 Version: < 7.22 Version: < 7.53 Version: < 7.73 Version: < KERNEL - 7.22 Version: < 8.04 Version: < 7.77 Version: < 7.81 Version: < 7.82 Version: < 7.83 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.541Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3021197"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c KRNL32NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.22EXT"
},
{
"status": "affected",
"version": "\u003c KRNL32UC - 7.22"
},
{
"status": "affected",
"version": "\u003c KRNL64NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.49"
},
{
"status": "affected",
"version": "\u003c KRNL64UC - 8.04"
},
{
"status": "affected",
"version": "\u003c 7.22"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.73"
},
{
"status": "affected",
"version": "\u003c KERNEL - 7.22"
},
{
"status": "affected",
"version": "\u003c 8.04"
},
{
"status": "affected",
"version": "\u003c 7.77"
},
{
"status": "affected",
"version": "\u003c 7.81"
},
{
"status": "affected",
"version": "\u003c 7.82"
},
{
"status": "affected",
"version": "\u003c 7.83"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher), versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method DpRTmPrepareReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Improper Input Validation (CWE-787)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3021197"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27628",
"datePublished": "2021-06-09T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27640 (GCVE-0-2021-27640)
Vulnerability from cvelistv5
Published
2021-06-09 13:31
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Input Validation
Summary
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PSD file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP 3D Visual Enterprise Viewer |
Version: < 9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP 3D Visual Enterprise Viewer",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PSD file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:31:52",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-27640",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP 3D Visual Enterprise Viewer",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "9"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PSD file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
]
},
"impact": {
"cvss": {
"baseScore": "4.3",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3059999",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27640",
"datePublished": "2021-06-09T13:31:52",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27629 (GCVE-0-2021-27629)
Vulnerability from cvelistv5
Published
2021-06-09 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-125 - Improper Input Validation ()
Summary
SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EncPSetUnsupported() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server) |
Version: < KRNL32NUC - 7.22 Version: < 7.22EXT Version: < KRNL64NUC - 7.22 Version: < 7.49 Version: < KRNL64UC - 8.04 Version: < 7.22 Version: < 7.53 Version: < 7.73 Version: < KERNEL - 7.22 Version: < 8.04 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.274Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3020104"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c KRNL32NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.22EXT"
},
{
"status": "affected",
"version": "\u003c KRNL64NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.49"
},
{
"status": "affected",
"version": "\u003c KRNL64UC - 8.04"
},
{
"status": "affected",
"version": "\u003c 7.22"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.73"
},
{
"status": "affected",
"version": "\u003c KERNEL - 7.22"
},
{
"status": "affected",
"version": "\u003c 8.04"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EncPSetUnsupported() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "Improper Input Validation (CWE-125)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3020104"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27629",
"datePublished": "2021-06-09T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27635 (GCVE-0-2021-27635)
Vulnerability from cvelistv5
Published
2021-06-09 13:30
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Missing XML Validation (CWE - 112)
Summary
SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to integrity.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS for JAVA |
Version: < 7.20 Version: < 7.30 Version: < 7.31 Version: < 7.40 Version: < 7.50 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.623Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3053066"
},
{
"name": "20211022 Onapsis Security Advisory 2021-0016: XXE in SAP JAVA NetWeaver System Connections",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/28"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/164592/SAP-JAVA-NetWeaver-System-Connections-XML-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver AS for JAVA",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 7.20"
},
{
"status": "affected",
"version": "\u003c 7.30"
},
{
"status": "affected",
"version": "\u003c 7.31"
},
{
"status": "affected",
"version": "\u003c 7.40"
},
{
"status": "affected",
"version": "\u003c 7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to integrity."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing XML Validation (CWE - 112)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-22T17:09:59",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3053066"
},
{
"name": "20211022 Onapsis Security Advisory 2021-0016: XXE in SAP JAVA NetWeaver System Connections",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/28"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/164592/SAP-JAVA-NetWeaver-System-Connections-XML-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-27635",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP NetWeaver AS for JAVA",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "7.20"
},
{
"version_name": "\u003c",
"version_value": "7.30"
},
{
"version_name": "\u003c",
"version_value": "7.31"
},
{
"version_name": "\u003c",
"version_value": "7.40"
},
{
"version_name": "\u003c",
"version_value": "7.50"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to integrity."
}
]
},
"impact": {
"cvss": {
"baseScore": "9.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing XML Validation (CWE - 112)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3053066",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3053066"
},
{
"name": "20211022 Onapsis Security Advisory 2021-0016: XXE in SAP JAVA NetWeaver System Connections",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2021/Oct/28"
},
{
"name": "http://packetstormsecurity.com/files/164592/SAP-JAVA-NetWeaver-System-Connections-XML-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/164592/SAP-JAVA-NetWeaver-System-Connections-XML-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27635",
"datePublished": "2021-06-09T13:30:45",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27624 (GCVE-0-2021-27624)
Vulnerability from cvelistv5
Published
2021-06-09 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-787 - Improper Input Validation ()
Summary
SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method CiXMLIStreamRawBuffer::readRaw () which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Internet Graphics Service |
Version: < 7.20 Version: < 7.20EXT Version: < 7.53 Version: < 7.20_EX2 Version: < 7.81 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3021050"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Internet Graphics Service",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 7.20"
},
{
"status": "affected",
"version": "\u003c 7.20EXT"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.20_EX2"
},
{
"status": "affected",
"version": "\u003c 7.81"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method CiXMLIStreamRawBuffer::readRaw () which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Improper Input Validation (CWE-787)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3021050"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27624",
"datePublished": "2021-06-09T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21473 (GCVE-0-2021-21473)
Vulnerability from cvelistv5
Published
2021-06-09 13:23
Modified
2024-08-03 18:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Missing Authorization
Summary
SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT) |
Version: < 700 Version: < 702 Version: < 710 Version: < 711 Version: < 730 Version: < 731 Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 Version: < 755 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:16:22.654Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3002517"
},
{
"name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/May/42"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 700"
},
{
"status": "affected",
"version": "\u003c 702"
},
{
"status": "affected",
"version": "\u003c 710"
},
{
"status": "affected",
"version": "\u003c 711"
},
{
"status": "affected",
"version": "\u003c 730"
},
{
"status": "affected",
"version": "\u003c 731"
},
{
"status": "affected",
"version": "\u003c 740"
},
{
"status": "affected",
"version": "\u003c 750"
},
{
"status": "affected",
"version": "\u003c 751"
},
{
"status": "affected",
"version": "\u003c 752"
},
{
"status": "affected",
"version": "\u003c 753"
},
{
"status": "affected",
"version": "\u003c 754"
},
{
"status": "affected",
"version": "\u003c 755"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing Authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-19T17:06:25",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3002517"
},
{
"name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2022/May/42"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-21473",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "700"
},
{
"version_name": "\u003c",
"version_value": "702"
},
{
"version_name": "\u003c",
"version_value": "710"
},
{
"version_name": "\u003c",
"version_value": "711"
},
{
"version_name": "\u003c",
"version_value": "730"
},
{
"version_name": "\u003c",
"version_value": "731"
},
{
"version_name": "\u003c",
"version_value": "740"
},
{
"version_name": "\u003c",
"version_value": "750"
},
{
"version_name": "\u003c",
"version_value": "751"
},
{
"version_name": "\u003c",
"version_value": "752"
},
{
"version_name": "\u003c",
"version_value": "753"
},
{
"version_name": "\u003c",
"version_value": "754"
},
{
"version_name": "\u003c",
"version_value": "755"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform."
}
]
},
"impact": {
"cvss": {
"baseScore": "6.3",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3002517",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3002517"
},
{
"name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2022/May/42"
},
{
"name": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-21473",
"datePublished": "2021-06-09T13:23:48",
"dateReserved": "2020-12-30T00:00:00",
"dateUpdated": "2024-08-03T18:16:22.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27626 (GCVE-0-2021-27626)
Vulnerability from cvelistv5
Published
2021-06-09 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-787 - Improper Input Validation ()
Summary
SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method CMiniXMLParser::Parse() which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Internet Graphics Service |
Version: < 7.20 Version: < 7.20EXT Version: < 7.53 Version: < 7.20_EX2 Version: < 7.81 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.613Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3021050"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Internet Graphics Service",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 7.20"
},
{
"status": "affected",
"version": "\u003c 7.20EXT"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.20_EX2"
},
{
"status": "affected",
"version": "\u003c 7.81"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method CMiniXMLParser::Parse() which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Improper Input Validation (CWE-787)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3021050"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27626",
"datePublished": "2021-06-09T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33664 (GCVE-0-2021-33664)
Vulnerability from cvelistv5
Published
2021-06-09 13:32
Modified
2024-08-03 23:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross Site Scripting
Summary
SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP) |
Version: < SAP_UI - 750 Version: < 752 Version: < 753 Version: < 754 Version: < 755 Version: < SAP_BASIS - 702 Version: < 31 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:22.366Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3025604"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c SAP_UI - 750"
},
{
"status": "affected",
"version": "\u003c 752"
},
{
"status": "affected",
"version": "\u003c 753"
},
{
"status": "affected",
"version": "\u003c 754"
},
{
"status": "affected",
"version": "\u003c 755"
},
{
"status": "affected",
"version": "\u003c SAP_BASIS - 702"
},
{
"status": "affected",
"version": "\u003c 31"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:32:50",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3025604"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-33664",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "SAP_UI - 750"
},
{
"version_name": "\u003c",
"version_value": "752"
},
{
"version_name": "\u003c",
"version_value": "753"
},
{
"version_name": "\u003c",
"version_value": "754"
},
{
"version_name": "\u003c",
"version_value": "755"
},
{
"version_name": "\u003c",
"version_value": "SAP_BASIS - 702"
},
{
"version_name": "\u003c",
"version_value": "31"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
]
},
"impact": {
"cvss": {
"baseScore": "5.4",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3025604",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3025604"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-33664",
"datePublished": "2021-06-09T13:32:50",
"dateReserved": "2021-05-28T00:00:00",
"dateUpdated": "2024-08-03T23:58:22.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27597 (GCVE-0-2021-27597)
Vulnerability from cvelistv5
Published
2021-06-09 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-125 - Improper Input Validation ()
Summary
SAP NetWeaver AS for ABAP (RFC Gateway), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method memmove() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS for ABAP (RFC Gateway) |
Version: < KRNL32NUC - 7.22 Version: < 7.22EXT Version: < KRNL64NUC - 7.22 Version: < 7.49 Version: < KRNL64UC - 8.04 Version: < 7.22 Version: < 7.53 Version: < 7.73 Version: < KERNEL - 7.22 Version: < 8.04 Version: < 7.77 Version: < 7.81 Version: < 7.82 Version: < 7.83 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:09.711Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3020209"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver AS for ABAP (RFC Gateway)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c KRNL32NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.22EXT"
},
{
"status": "affected",
"version": "\u003c KRNL64NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.49"
},
{
"status": "affected",
"version": "\u003c KRNL64UC - 8.04"
},
{
"status": "affected",
"version": "\u003c 7.22"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.73"
},
{
"status": "affected",
"version": "\u003c KERNEL - 7.22"
},
{
"status": "affected",
"version": "\u003c 8.04"
},
{
"status": "affected",
"version": "\u003c 7.77"
},
{
"status": "affected",
"version": "\u003c 7.81"
},
{
"status": "affected",
"version": "\u003c 7.82"
},
{
"status": "affected",
"version": "\u003c 7.83"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver AS for ABAP (RFC Gateway), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method memmove() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "Improper Input Validation (CWE-125)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3020209"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27597",
"datePublished": "2021-06-09T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:09.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33666 (GCVE-0-2021-33666)
Vulnerability from cvelistv5
Published
2021-06-09 13:32
Modified
2024-08-03 23:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-Site Scripting
Summary
When SAP Commerce Cloud version 100, hosts a JavaScript storefront, it is vulnerable to MIME sniffing, which, in certain circumstances, could be used to facilitate an XSS attack or malware proliferation.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Commerce Cloud |
Version: < 100 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:22.397Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2985562"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Commerce Cloud",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 100"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "When SAP Commerce Cloud version 100, hosts a JavaScript storefront, it is vulnerable to MIME sniffing, which, in certain circumstances, could be used to facilitate an XSS attack or malware proliferation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:32:45",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2985562"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-33666",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Commerce Cloud",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "100"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When SAP Commerce Cloud version 100, hosts a JavaScript storefront, it is vulnerable to MIME sniffing, which, in certain circumstances, could be used to facilitate an XSS attack or malware proliferation."
}
]
},
"impact": {
"cvss": {
"baseScore": "4.7",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2985562",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2985562"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-33666",
"datePublished": "2021-06-09T13:32:45",
"dateReserved": "2021-05-28T00:00:00",
"dateUpdated": "2024-08-03T23:58:22.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27606 (GCVE-0-2021-27606)
Vulnerability from cvelistv5
Published
2021-06-09 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-125 - Improper Input Validation ()
Summary
SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EncOAMParamStore() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server) |
Version: < KRNL32NUC - 7.22 Version: < 7.22EXT Version: < KRNL64NUC - 7.22 Version: < 7.49 Version: < KRNL64UC - 8.04 Version: < 7.22 Version: < 7.53 Version: < 7.73 Version: < KERNEL - 7.22 Version: < 8.04 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.112Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3020104"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c KRNL32NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.22EXT"
},
{
"status": "affected",
"version": "\u003c KRNL64NUC - 7.22"
},
{
"status": "affected",
"version": "\u003c 7.49"
},
{
"status": "affected",
"version": "\u003c KRNL64UC - 8.04"
},
{
"status": "affected",
"version": "\u003c 7.22"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.73"
},
{
"status": "affected",
"version": "\u003c KERNEL - 7.22"
},
{
"status": "affected",
"version": "\u003c 8.04"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EncOAMParamStore() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "Improper Input Validation (CWE-125)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3020104"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27606",
"datePublished": "2021-06-09T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27615 (GCVE-0-2021-27615)
Vulnerability from cvelistv5
Published
2021-06-09 13:25
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-Site Scripting (XSS)
Summary
SAP Manufacturing Execution versions - 15.1, 1.5.2, 15.3, 15.4, does not contain some HTTP security headers in their HTTP response. The lack of these headers in response can be exploited by the attacker to execute Cross-Site Scripting (XSS) attacks.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Manufacturing Execution |
Version: < 15.1 Version: < 1.5.2 Version: < 15.3 Version: < 15.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3030961"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Manufacturing Execution",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 15.1"
},
{
"status": "affected",
"version": "\u003c 1.5.2"
},
{
"status": "affected",
"version": "\u003c 15.3"
},
{
"status": "affected",
"version": "\u003c 15.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP Manufacturing Execution versions - 15.1, 1.5.2, 15.3, 15.4, does not contain some HTTP security headers in their HTTP response. The lack of these headers in response can be exploited by the attacker to execute Cross-Site Scripting (XSS) attacks."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:25:03",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3030961"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-27615",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Manufacturing Execution",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "15.1"
},
{
"version_name": "\u003c",
"version_value": "1.5.2"
},
{
"version_name": "\u003c",
"version_value": "15.3"
},
{
"version_name": "\u003c",
"version_value": "15.4"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP Manufacturing Execution versions - 15.1, 1.5.2, 15.3, 15.4, does not contain some HTTP security headers in their HTTP response. The lack of these headers in response can be exploited by the attacker to execute Cross-Site Scripting (XSS) attacks."
}
]
},
"impact": {
"cvss": {
"baseScore": "6.4",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3030961",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3030961"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27615",
"datePublished": "2021-06-09T13:25:03",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33660 (GCVE-0-2021-33660)
Vulnerability from cvelistv5
Published
2021-06-09 13:32
Modified
2024-08-03 23:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Input Validation
Summary
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated FLI file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP 3D Visual Enterprise Viewer |
Version: < 9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:22.930Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP 3D Visual Enterprise Viewer",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated FLI file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:32:11",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-33660",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP 3D Visual Enterprise Viewer",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "9"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated FLI file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
]
},
"impact": {
"cvss": {
"baseScore": "4.3",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3059999",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-33660",
"datePublished": "2021-06-09T13:32:11",
"dateReserved": "2021-05-28T00:00:00",
"dateUpdated": "2024-08-03T23:58:22.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33661 (GCVE-0-2021-33661)
Vulnerability from cvelistv5
Published
2021-06-09 13:32
Modified
2024-08-03 23:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Input Validation
Summary
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP 3D Visual Enterprise Viewer |
Version: < 9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:22.248Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP 3D Visual Enterprise Viewer",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:32:55",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-33661",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP 3D Visual Enterprise Viewer",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "9"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
]
},
"impact": {
"cvss": {
"baseScore": "4.3",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3059999",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-33661",
"datePublished": "2021-06-09T13:32:55",
"dateReserved": "2021-05-28T00:00:00",
"dateUpdated": "2024-08-03T23:58:22.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27620 (GCVE-0-2021-27620)
Vulnerability from cvelistv5
Published
2021-06-09 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-787 - Improper Input Validation ()
Summary
SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method Ups::AddPart() which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Internet Graphics Service |
Version: < 7.20 Version: < 7.20EXT Version: < 7.53 Version: < 7.20_EX2 Version: < 7.81 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.428Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3021050"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Internet Graphics Service",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 7.20"
},
{
"status": "affected",
"version": "\u003c 7.20EXT"
},
{
"status": "affected",
"version": "\u003c 7.53"
},
{
"status": "affected",
"version": "\u003c 7.20_EX2"
},
{
"status": "affected",
"version": "\u003c 7.81"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method Ups::AddPart() which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Improper Input Validation (CWE-787)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3021050"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27620",
"datePublished": "2021-06-09T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27638 (GCVE-0-2021-27638)
Vulnerability from cvelistv5
Published
2021-06-09 13:31
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Input Validation
Summary
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated JT file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP 3D Visual Enterprise Viewer |
Version: < 9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.603Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP 3D Visual Enterprise Viewer",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated JT file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:31:33",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-27638",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP 3D Visual Enterprise Viewer",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "9"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated JT file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation."
}
]
},
"impact": {
"cvss": {
"baseScore": "4.3",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3059999",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3059999"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27638",
"datePublished": "2021-06-09T13:31:33",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27637 (GCVE-0-2021-27637)
Vulnerability from cvelistv5
Published
2021-06-09 13:30
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
Summary
Under certain conditions SAP Enable Now (SAP Workforce Performance Builder - Manager), versions - 1.0, 10 allows an attacker to access information which would otherwise be restricted leading to information disclosure.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Enable Now (SAP Workforce Performance Builder - Manager) |
Version: < 1.0 Version: < 10 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3049879"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Enable Now (SAP Workforce Performance Builder - Manager)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0"
},
{
"status": "affected",
"version": "\u003c 10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Under certain conditions SAP Enable Now (SAP Workforce Performance Builder - Manager), versions - 1.0, 10 allows an attacker to access information which would otherwise be restricted leading to information disclosure."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-09T13:30:33",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3049879"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-27637",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Enable Now (SAP Workforce Performance Builder - Manager)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.0"
},
{
"version_name": "\u003c",
"version_value": "10"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Under certain conditions SAP Enable Now (SAP Workforce Performance Builder - Manager), versions - 1.0, 10 allows an attacker to access information which would otherwise be restricted leading to information disclosure."
}
]
},
"impact": {
"cvss": {
"baseScore": "5.9",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3049879",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3049879"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27637",
"datePublished": "2021-06-09T13:30:33",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…