cnvd - cnvd-2021-47705

cnvd-2021-47705

Vulnerability from cnvd

Title: SAP NetWeaver AS for ABAP跨站脚本漏洞

Description:

SAP Netweaver是德国思爱普（SAP）公司的一套面向服务的集成化应用平台。该平台主要为SAP应用程序提供开发和运行环境。

SAP NetWeaver AS for ABAP存在跨站脚本漏洞，攻击者可利用该漏洞访问与当前会话相关的数据，并使用该会话冒充用户访问与目标用户具有相同权限的所有信息。

Severity: 中

Patch Name: SAP NetWeaver AS for ABAP跨站脚本漏洞的补丁

Patch Description:

SAP Netweaver是德国思爱普（SAP）公司的一套面向服务的集成化应用平台。该平台主要为SAP应用程序提供开发和运行环境。

SAP NetWeaver AS for ABAP存在跨站脚本漏洞，攻击者可利用该漏洞访问与当前会话相关的数据，并使用该会话冒充用户访问与目标用户具有相同权限的所有信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序,请及时关注更新： https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-21490

Impacted products

Name
['SAP NetWeaver AS for ABAP（Web Survey） 700', 'SAP NetWeaver AS for ABAP（Web Survey） 702', 'SAP NetWeaver AS for ABAP（Web Survey） 710', 'SAP NetWeaver AS for ABAP（Web Survey） 711', 'SAP NetWeaver AS for ABAP（Web Survey） 730', 'SAP NetWeaver AS for ABAP（Web Survey） 731', 'SAP NetWeaver AS for ABAP（Web Survey） 750', 'SAP NetWeaver AS for ABAP（Web Survey） 752', 'SAP NetWeaver AS for ABAP（Web Survey） 75A', 'SAP NetWeaver AS for ABAP（Web Survey） 75F']

Name

['SAP NetWeaver AS for ABAP（Web Survey） 700', 'SAP NetWeaver AS for ABAP（Web Survey） 702', 'SAP NetWeaver AS for ABAP（Web Survey） 710', 'SAP NetWeaver AS for ABAP（Web Survey） 711', 'SAP NetWeaver AS for ABAP（Web Survey） 730', 'SAP NetWeaver AS for ABAP（Web Survey） 731', 'SAP NetWeaver AS for ABAP（Web Survey） 750', 'SAP NetWeaver AS for ABAP（Web Survey） 752', 'SAP NetWeaver AS for ABAP（Web Survey） 75A', 'SAP NetWeaver AS for ABAP（Web Survey） 75F']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-21490",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-21490"
    }
  },
  "description": "SAP Netweaver\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u9762\u5411\u670d\u52a1\u7684\u96c6\u6210\u5316\u5e94\u7528\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u4e3aSAP\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u5f00\u53d1\u548c\u8fd0\u884c\u73af\u5883\u3002\n\nSAP NetWeaver AS for ABAP\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u4e0e\u5f53\u524d\u4f1a\u8bdd\u76f8\u5173\u7684\u6570\u636e\uff0c\u5e76\u4f7f\u7528\u8be5\u4f1a\u8bdd\u5192\u5145\u7528\u6237\u8bbf\u95ee\u4e0e\u76ee\u6807\u7528\u6237\u5177\u6709\u76f8\u540c\u6743\u9650\u7684\u6240\u6709\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f,\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-47705",
  "openTime": "2021-07-06",
  "patchDescription": "SAP Netweaver\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u9762\u5411\u670d\u52a1\u7684\u96c6\u6210\u5316\u5e94\u7528\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u4e3aSAP\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u5f00\u53d1\u548c\u8fd0\u884c\u73af\u5883\u3002\r\n\r\nSAP NetWeaver AS for ABAP\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u4e0e\u5f53\u524d\u4f1a\u8bdd\u76f8\u5173\u7684\u6570\u636e\uff0c\u5e76\u4f7f\u7528\u8be5\u4f1a\u8bdd\u5192\u5145\u7528\u6237\u8bbf\u95ee\u4e0e\u76ee\u6807\u7528\u6237\u5177\u6709\u76f8\u540c\u6743\u9650\u7684\u6240\u6709\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP NetWeaver AS for ABAP\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 700",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 702",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 710",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 711",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 730",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 731",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 750",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 752",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 75A",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 75F"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-21490",
  "serverity": "\u4e2d",
  "submitTime": "2021-06-11",
  "title": "SAP NetWeaver AS for ABAP\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2021-21490 (GCVE-0-2021-21490)

Vulnerability from cvelistv5

Published

2021-06-09 13:23

Modified

2024-08-03 18:16

Severity ?

6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

Cross Site Scripting

Summary

SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user.

References

▼	URL	Tags
	https://launchpad.support.sap.com/#/notes/3004043	x_refsource_MISC
	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	SAP SE	SAP NetWeaver AS for ABAP (Web Survey)	Version: < 700 Version: < 702 Version: < 710 Version: < 711 Version: < 730 Version: < 731 Version: < 750 Version: < 752 Version: < 75A Version: < 75F

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:16:22.657Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://launchpad.support.sap.com/#/notes/3004043"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SAP NetWeaver AS for ABAP (Web Survey)",
          "vendor": "SAP SE",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 700"
            },
            {
              "status": "affected",
              "version": "\u003c 702"
            },
            {
              "status": "affected",
              "version": "\u003c 710"
            },
            {
              "status": "affected",
              "version": "\u003c 711"
            },
            {
              "status": "affected",
              "version": "\u003c 730"
            },
            {
              "status": "affected",
              "version": "\u003c 731"
            },
            {
              "status": "affected",
              "version": "\u003c 750"
            },
            {
              "status": "affected",
              "version": "\u003c 752"
            },
            {
              "status": "affected",
              "version": "\u003c 75A"
            },
            {
              "status": "affected",
              "version": "\u003c 75F"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross Site Scripting",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-09T13:23:40",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://launchpad.support.sap.com/#/notes/3004043"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2021-21490",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SAP NetWeaver AS for ABAP (Web Survey)",
                      "version": {
                        "version_data": [
                          {
                            "version_name": "\u003c",
                            "version_value": "700"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "702"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "710"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "711"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "730"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "731"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "750"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "750"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "752"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "75A"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "75F"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SAP SE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "6.1",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross Site Scripting"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://launchpad.support.sap.com/#/notes/3004043",
              "refsource": "MISC",
              "url": "https://launchpad.support.sap.com/#/notes/3004043"
            },
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
              "refsource": "MISC",
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2021-21490",
    "datePublished": "2021-06-09T13:23:40",
    "dateReserved": "2020-12-30T00:00:00",
    "dateUpdated": "2024-08-03T18:16:22.657Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted