Severity
Medium
Analysis Summary
CVE-2021-40501
SAP ABAP Platform Kernel could allow a remote authenticated attacker to gain elevated privileges on the system, caused by the failure to perform necessary authorization checks for an authenticated business user. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges.
CVE-2021-40502
SAP Commerce could allow a remote authenticated attacker to gain elevated privileges on the system, caused by the failure to perform necessary authorization checks for an authenticated user. By sending a specially crafted request, an attacker could exploit this vulnerability to gain elevated privileges.
CVE-2021-40503
SAP GUI for Windows could allow a remote attacker to obtain sensitive information, caused by the leaking of the user’s password. An attacker could exploit this vulnerability to logon to the backend system and launch further attacks.
CVE-2021-40504
SAP NetWeaver Application Server for ABAP and ABAP Platform could allow a remote authenticated attacker to bypass security restrictions, caused by a certain template containing transport authorizations. An attacker could exploit this vulnerability to gain elevated permissions.
Impact
- Privilege Escalation
- Information Disclosure
- Security Bypass
Affected Vendors
SAP
Affected Products
- SAP ABAP Platform Kernel 7.77
- SAP ABAP Platform Kernel 7.81
- SAP ABAP Platform Kernel 7.85
- SAP ABAP Platform Kernel 7.86
- SAP Commerce 2105.3
- SAP Commerce 2011.13
- SAP Commerce 2005.18
- SAP Commerce 1905.34
- SAP GUI for Windows 7.60
- SAP GUI for Windows 7.70
- SAP NetWeaver 700
- SAP NetWeaver 701
- SAP NetWeaver 702
- SAP NetWeaver 730
Remediation
Current SAP customers should refer to SAP note 3099776 for patch information, available from the SAP Web site.