cvelistv5 - CVE-2021-40502

CVE-2021-40502 (GCVE-0-2021-40502)

Vulnerability from cvelistv5 – Published: 2021-11-10 15:24 – Updated: 2024-08-04 02:44

Summary

SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to.

Severity ?

No CVSS data available.

CWE

CWE-862

Assigner

sap

References

URL

Tags

	https://wiki.scn.sap.com/wiki/pages/viewpage.acti…	x_refsource_MISC
	https://launchpad.support.sap.com/#/notes/3110328	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	SAP SE	SAP Commerce	Affected: < 2105.3 Affected: < 2011.13 Affected: < 2005.18 Affected: < 1905.34

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:44:10.860Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://launchpad.support.sap.com/#/notes/3110328"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SAP Commerce",
          "vendor": "SAP SE",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2105.3"
            },
            {
              "status": "affected",
              "version": "\u003c 2011.13"
            },
            {
              "status": "affected",
              "version": "\u003c 2005.18"
            },
            {
              "status": "affected",
              "version": "\u003c 1905.34"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-24T15:57:05",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://launchpad.support.sap.com/#/notes/3110328"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2021-40502",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SAP Commerce",
                      "version": {
                        "version_data": [
                          {
                            "version_name": "\u003c",
                            "version_value": "2105.3"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "2011.13"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "2005.18"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "1905.34"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SAP SE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "null",
            "vectorString": "null",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-862"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864",
              "refsource": "MISC",
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
            },
            {
              "name": "https://launchpad.support.sap.com/#/notes/3110328",
              "refsource": "MISC",
              "url": "https://launchpad.support.sap.com/#/notes/3110328"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2021-40502",
    "datePublished": "2021-11-10T15:24:42",
    "dateReserved": "2021-09-03T00:00:00",
    "dateUpdated": "2024-08-04T02:44:10.860Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce:1905.34:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"78CBB227-38A7-4785-A6B1-7CE037E25C40\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce:2005.18:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"80FD1F4D-9712-4B96-85ED-B8486DD8295D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce:2011.13:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F4A6EA65-350B-4132-BCB3-643CF857207D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce:2105.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"985092A4-8595-4D2E-9DDE-056680F7EB06\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to.\"}, {\"lang\": \"es\", \"value\": \"SAP Commerce - versiones 2105.3, 2011.13, 2005.18, 1905.34, no realiza las comprobaciones de autorizaci\\u00f3n necesarias para un usuario autenticado, lo que da lugar a una escalada de privilegios. Los atacantes autentificados podr\\u00e1n acceder y editar datos de unidades b2b a las que no pertenecen\"}]",
      "id": "CVE-2021-40502",
      "lastModified": "2024-11-21T06:24:16.560",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-11-10T16:15:08.673",
      "references": "[{\"url\": \"https://launchpad.support.sap.com/#/notes/3110328\", \"source\": \"cna@sap.com\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864\", \"source\": \"cna@sap.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://launchpad.support.sap.com/#/notes/3110328\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cna@sap.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cna@sap.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-40502\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2021-11-10T16:15:08.673\",\"lastModified\":\"2024-11-21T06:24:16.560\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to.\"},{\"lang\":\"es\",\"value\":\"SAP Commerce - versiones 2105.3, 2011.13, 2005.18, 1905.34, no realiza las comprobaciones de autorizaci\u00f3n necesarias para un usuario autenticado, lo que da lugar a una escalada de privilegios. Los atacantes autentificados podr\u00e1n acceder y editar datos de unidades b2b a las que no pertenecen\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce:1905.34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"78CBB227-38A7-4785-A6B1-7CE037E25C40\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce:2005.18:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80FD1F4D-9712-4B96-85ED-B8486DD8295D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce:2011.13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F4A6EA65-350B-4132-BCB3-643CF857207D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce:2105.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"985092A4-8595-4D2E-9DDE-056680F7EB06\"}]}]}],\"references\":[{\"url\":\"https://launchpad.support.sap.com/#/notes/3110328\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://launchpad.support.sap.com/#/notes/3110328\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

CERTFR-2021-AVI-852

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits SAP. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP ABAP Platform Kernel versions - 7.77, 7.81, 7.85, 7.86
SAP	N/A	SAP Solution Manager et SAP Focused Run versions - 9.7, 10.1, 10.5, 10.7
SAP	N/A	SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions, SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105
SAP	N/A	SAP GUI pour Windows versions antérieures à 7.60 PL13 et versions 7.70 PL4
SAP	N/A	SAP NetWeaver AS pour ABAP et ABAP Platform versions - 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756
SAP	N/A	SAP Commerce versions - 2105.3, 2011.13, 2005.18, 1905.34
SAP	N/A	SAP ERP HCM Portugal versions - 600, 604, 608

References

Title

Publication Time

Tags

Bulletin de sécurité SAP 589496864 du 09 novembre 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP ABAP Platform Kernel versions - 7.77, 7.81, 7.85, 7.86",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Solution Manager et SAP Focused Run versions - 9.7, 10.1, 10.5, 10.7",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions, SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP GUI pour Windows versions ant\u00e9rieures \u00e0 7.60 PL13 et versions 7.70 PL4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS pour ABAP et ABAP Platform versions - 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Commerce versions - 2105.3, 2011.13, 2005.18, 1905.34",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP ERP HCM Portugal versions - 600, 604, 608",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-40504",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40504"
    },
    {
      "name": "CVE-2021-42062",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42062"
    },
    {
      "name": "CVE-2021-38164",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38164"
    },
    {
      "name": "CVE-2021-40501",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40501"
    },
    {
      "name": "CVE-2021-40502",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40502"
    },
    {
      "name": "CVE-2021-40503",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40503"
    },
    {
      "name": "CVE-2020-6369",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6369"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-852",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-11-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP.\nElles permettent \u00e0 un attaquant de provoquer un contournement de la\npolitique de s\u00e9curit\u00e9 et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP 589496864 du 09 novembre 2021",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
    }
  ]
}

CERTFR-2021-AVI-852

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP ABAP Platform Kernel versions - 7.77, 7.81, 7.85, 7.86
SAP	N/A	SAP Solution Manager et SAP Focused Run versions - 9.7, 10.1, 10.5, 10.7
SAP	N/A	SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions, SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105
SAP	N/A	SAP GUI pour Windows versions antérieures à 7.60 PL13 et versions 7.70 PL4
SAP	N/A	SAP NetWeaver AS pour ABAP et ABAP Platform versions - 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756
SAP	N/A	SAP Commerce versions - 2105.3, 2011.13, 2005.18, 1905.34
SAP	N/A	SAP ERP HCM Portugal versions - 600, 604, 608

References

Title

Publication Time

Tags

Bulletin de sécurité SAP 589496864 du 09 novembre 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP ABAP Platform Kernel versions - 7.77, 7.81, 7.85, 7.86",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Solution Manager et SAP Focused Run versions - 9.7, 10.1, 10.5, 10.7",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions, SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP GUI pour Windows versions ant\u00e9rieures \u00e0 7.60 PL13 et versions 7.70 PL4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS pour ABAP et ABAP Platform versions - 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Commerce versions - 2105.3, 2011.13, 2005.18, 1905.34",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP ERP HCM Portugal versions - 600, 604, 608",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-40504",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40504"
    },
    {
      "name": "CVE-2021-42062",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42062"
    },
    {
      "name": "CVE-2021-38164",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38164"
    },
    {
      "name": "CVE-2021-40501",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40501"
    },
    {
      "name": "CVE-2021-40502",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40502"
    },
    {
      "name": "CVE-2021-40503",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40503"
    },
    {
      "name": "CVE-2020-6369",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6369"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-852",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-11-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP.\nElles permettent \u00e0 un attaquant de provoquer un contournement de la\npolitique de s\u00e9curit\u00e9 et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP 589496864 du 09 novembre 2021",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
    }
  ]
}

GSD-2021-40502

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-40502

Aliases

CVE-2021-40502

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-40502",
    "description": "SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to.",
    "id": "GSD-2021-40502"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-40502"
      ],
      "details": "SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to.",
      "id": "GSD-2021-40502",
      "modified": "2023-12-13T01:23:25.143433Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@sap.com",
        "ID": "CVE-2021-40502",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "SAP Commerce",
                    "version": {
                      "version_data": [
                        {
                          "version_name": "\u003c",
                          "version_value": "2105.3"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "2011.13"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "2005.18"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "1905.34"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "SAP SE"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to."
          }
        ]
      },
      "impact": {
        "cvss": {
          "baseScore": "null",
          "vectorString": "null",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-862"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864",
            "refsource": "MISC",
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
          },
          {
            "name": "https://launchpad.support.sap.com/#/notes/3110328",
            "refsource": "MISC",
            "url": "https://launchpad.support.sap.com/#/notes/3110328"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sap:commerce:1905.34:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:commerce:2005.18:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:commerce:2011.13:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:commerce:2105.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2021-40502"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-862"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
            },
            {
              "name": "https://launchpad.support.sap.com/#/notes/3110328",
              "refsource": "MISC",
              "tags": [
                "Permissions Required",
                "Vendor Advisory"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3110328"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-11-28T23:21Z",
      "publishedDate": "2021-11-10T16:15Z"
    }
  }
}

FKIE_CVE-2021-40502

Vulnerability from fkie_nvd - Published: 2021-11-10 16:15 - Updated: 2024-11-21 06:24

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cna@sap.com	https://launchpad.support.sap.com/#/notes/3110328	Permissions Required, Vendor Advisory
cna@sap.com	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://launchpad.support.sap.com/#/notes/3110328	Permissions Required, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864	Vendor Advisory

Impacted products

Vendor	Product	Version
sap	commerce	1905.34
sap	commerce	2005.18
sap	commerce	2011.13
sap	commerce	2105.3

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:commerce:1905.34:*:*:*:*:*:*:*",
              "matchCriteriaId": "78CBB227-38A7-4785-A6B1-7CE037E25C40",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:commerce:2005.18:*:*:*:*:*:*:*",
              "matchCriteriaId": "80FD1F4D-9712-4B96-85ED-B8486DD8295D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:commerce:2011.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4A6EA65-350B-4132-BCB3-643CF857207D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:commerce:2105.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "985092A4-8595-4D2E-9DDE-056680F7EB06",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to."
    },
    {
      "lang": "es",
      "value": "SAP Commerce - versiones 2105.3, 2011.13, 2005.18, 1905.34, no realiza las comprobaciones de autorizaci\u00f3n necesarias para un usuario autenticado, lo que da lugar a una escalada de privilegios. Los atacantes autentificados podr\u00e1n acceder y editar datos de unidades b2b a las que no pertenecen"
    }
  ],
  "id": "CVE-2021-40502",
  "lastModified": "2024-11-21T06:24:16.560",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-11-10T16:15:08.673",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3110328"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3110328"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "cna@sap.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

GHSA-GRP2-X34R-X38C

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-40502"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-10T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from B2B units they do not belong to.",
  "id": "GHSA-grp2-x34r-x38c",
  "modified": "2022-05-24T19:20:18Z",
  "published": "2022-05-24T19:20:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40502"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3110328"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-40502 (GCVE-0-2021-40502)

CERTFR-2021-AVI-852

Solution

CERTFR-2021-AVI-852

Solution

GSD-2021-40502

FKIE_CVE-2021-40502

GHSA-GRP2-X34R-X38C

Tags

Sightings

Nomenclature