fkie_cve-2021-40498
Vulnerability from fkie_nvd
Published
2021-10-12 15:15
Modified
2024-11-21 06:24
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A vulnerability has been identified in SAP SuccessFactors Mobile Application for Android - versions older than 2108, which allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, which can lead to denial of service. The vulnerability is related to Android implementation methods that are widely used across Android mobile applications, and such methods are embedded into the SAP SuccessFactors mobile application. These Android methods begin executing once the user accesses their profile on the mobile application. While executing, it can also pick up the activities from other Android applications that are running in the background of the users device and are using the same types of methods in the application. Such vulnerability can also lead to phishing attacks that can be used for staging other types of attacks.
References
cna@sap.comhttps://launchpad.support.sap.com/#/notes/3077635Permissions Required
cna@sap.comhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://launchpad.support.sap.com/#/notes/3077635Permissions Required
af854a3a-2127-422b-91ae-364da2661108https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983Vendor Advisory
Impacted products
Vendor Product Version
sap successfactors_mobile *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:successfactors_mobile:*:*:*:*:*:android:*:*",
              "matchCriteriaId": "A8AD78C4-78CE-4500-A78B-C39ADFD31B30",
              "versionEndExcluding": "2108",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability has been identified in SAP SuccessFactors Mobile Application for Android - versions older than 2108, which allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, which can lead to denial of service. The vulnerability is related to Android implementation methods that are widely used across Android mobile applications, and such methods are embedded into the SAP SuccessFactors mobile application. These Android methods begin executing once the user accesses their profile on the mobile application. While executing, it can also pick up the activities from other Android applications that are running in the background of the users device and are using the same types of methods in the application. Such vulnerability can also lead to phishing attacks that can be used for staging other types of attacks."
    },
    {
      "lang": "es",
      "value": "Se ha identificado una vulnerabilidad en SAP SuccessFactors Mobile Application para Android - versiones anteriores a la 2108, que permite a un atacante impedir que los usuarios leg\u00edtimos accedan a un servicio, ya sea al bloquear o inundar el servicio, lo que puede conllevar a una denegaci\u00f3n de servicio. La vulnerabilidad est\u00e1 relacionada con los m\u00e9todos de implementaci\u00f3n de Android que se usan ampliamente en las aplicaciones m\u00f3viles de Android, y dichos m\u00e9todos est\u00e1n insertados en la aplicaci\u00f3n m\u00f3vil de SAP SuccessFactors. Estos m\u00e9todos de Android comienzan a ejecutarse una vez que el usuario accede a su perfil en la aplicaci\u00f3n m\u00f3vil. Mientras se ejecutan, tambi\u00e9n pueden recoger las actividades de otras aplicaciones Android que se est\u00e1n ejecutando en segundo plano en el dispositivo del usuario y que est\u00e1n usando los mismos tipos de m\u00e9todos en la aplicaci\u00f3n. Esta vulnerabilidad tambi\u00e9n puede conllevar a ataques de phishing que pueden ser usados para realizar otros tipos de ataques"
    }
  ],
  "id": "CVE-2021-40498",
  "lastModified": "2024-11-21T06:24:16.033",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 2.1,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-10-12T15:15:09.523",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3077635"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3077635"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.