cvelistv5 - CVE-2021-40503

CVE-2021-40503 (GCVE-0-2021-40503)

Vulnerability from cvelistv5 – Published: 2021-11-10 15:27 – Updated: 2024-08-04 02:44

Summary

An information disclosure vulnerability exists in SAP GUI for Windows - versions < 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user’s password. With this highly sensitive data leaked, the attacker would be able to logon to the backend system the SAP GUI for Windows was connected to and launch further attacks depending on the authorizations of the user.

Severity ?

No CVSS data available.

CWE

CWE-522

Assigner

sap

References

URL

Tags

	https://wiki.scn.sap.com/wiki/pages/viewpage.acti…	x_refsource_MISC
	https://launchpad.support.sap.com/#/notes/3080106	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	SAP SE	SAP GUI for Windows	Affected: < 7.60 PL13 Affected: < 7.70 PL4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:44:10.837Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://launchpad.support.sap.com/#/notes/3080106"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SAP GUI for Windows",
          "vendor": "SAP SE",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.60 PL13"
            },
            {
              "status": "affected",
              "version": "\u003c 7.70 PL4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An information disclosure vulnerability exists in SAP GUI for Windows - versions \u003c 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user\u2019s password. With this highly sensitive data leaked, the attacker would be able to logon to the backend system the SAP GUI for Windows was connected to and launch further attacks depending on the authorizations of the user."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-10T15:27:28",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://launchpad.support.sap.com/#/notes/3080106"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2021-40503",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SAP GUI for Windows",
                      "version": {
                        "version_data": [
                          {
                            "version_name": "\u003c",
                            "version_value": "\u003c 7.60 PL13"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "\u003c 7.70 PL4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SAP SE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An information disclosure vulnerability exists in SAP GUI for Windows - versions \u003c 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user\u2019s password. With this highly sensitive data leaked, the attacker would be able to logon to the backend system the SAP GUI for Windows was connected to and launch further attacks depending on the authorizations of the user."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "null",
            "vectorString": "null",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-522"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864",
              "refsource": "MISC",
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
            },
            {
              "name": "https://launchpad.support.sap.com/#/notes/3080106",
              "refsource": "MISC",
              "url": "https://launchpad.support.sap.com/#/notes/3080106"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2021-40503",
    "datePublished": "2021-11-10T15:27:28",
    "dateReserved": "2021-09-03T00:00:00",
    "dateUpdated": "2024-08-04T02:44:10.837Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"7.60\", \"matchCriteriaId\": \"603CB0D2-BEA4-4414-AE50-39F9A8E568F2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.60:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"FA071418-F2F0-4530-94C0-94D9295FED83\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level1:*:*:*:*:*:*\", \"matchCriteriaId\": \"E27CD53C-8CA1-4204-829D-3343AC4565B4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level10:*:*:*:*:*:*\", \"matchCriteriaId\": \"0D89F8F8-929B-4D17-B921-CAB3CA2FD405\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level11:*:*:*:*:*:*\", \"matchCriteriaId\": \"41F78A30-CD1A-4F6D-85DF-26FAF4BCF3AD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level12:*:*:*:*:*:*\", \"matchCriteriaId\": \"F9E07A43-B98A-4E56-B32D-CC6768AAA937\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level2:*:*:*:*:*:*\", \"matchCriteriaId\": \"1E0246DF-E354-4191-91DA-99880E1BD08A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level3:*:*:*:*:*:*\", \"matchCriteriaId\": \"140210E1-95C6-4EB5-A854-44E9EA03DD27\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level4:*:*:*:*:*:*\", \"matchCriteriaId\": \"0FD672D2-D67A-4576-8F9B-92177AF51151\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level5:*:*:*:*:*:*\", \"matchCriteriaId\": \"AE686D3C-E814-42D6-9F33-839763B53968\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level6:*:*:*:*:*:*\", \"matchCriteriaId\": \"711DE87F-72AA-4A6F-8F53-18758A195ED3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level7:*:*:*:*:*:*\", \"matchCriteriaId\": \"8E44C0EE-8ED0-42E8-81FB-7FE7FC9308E7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level8:*:*:*:*:*:*\", \"matchCriteriaId\": \"98A928B5-F8AA-4CD0-A8A5-D4E04AB3856A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level8_hotfix1:*:*:*:*:*:*\", \"matchCriteriaId\": \"9415406D-32AF-41EB-A351-2DE0306657DB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level9:*:*:*:*:*:*\", \"matchCriteriaId\": \"C7B83282-AD56-455F-9979-4F4D145F9798\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.70:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"FE1286F1-B9A5-4F25-B083-272943D90023\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.70:patch_level1:*:*:*:*:*:*\", \"matchCriteriaId\": \"FF605CA1-E860-4185-A358-FE967E0DE408\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.70:patch_level2:*:*:*:*:*:*\", \"matchCriteriaId\": \"181183AC-5621-4895-82E1-E91D9DCAB69A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:gui_for_windows:7.70:patch_level3:*:*:*:*:*:*\", \"matchCriteriaId\": \"DD057E0A-C836-46ED-ACB3-1C80CECACD60\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An information disclosure vulnerability exists in SAP GUI for Windows - versions \u003c 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user\\u2019s password. With this highly sensitive data leaked, the attacker would be able to logon to the backend system the SAP GUI for Windows was connected to and launch further attacks depending on the authorizations of the user.\"}, {\"lang\": \"es\", \"value\": \"Se presenta una vulnerabilidad de divulgaci\\u00f3n de informaci\\u00f3n en SAP GUI para Windows - versiones anteriores a 7.60 PL13, 7.70 PL4, que permite a un atacante con privilegios suficientes en el PC local del lado del cliente obtener un equivalente de la contrase\\u00f1a del usuario. Con estos datos altamente confidenciales filtrados, el atacante podr\\u00eda iniciar la sesi\\u00f3n en el sistema backend al que estaba conectada la SAP GUI para Windows y lanzar otros ataques en funci\\u00f3n de las autorizaciones del usuario\"}]",
      "id": "CVE-2021-40503",
      "lastModified": "2024-11-21T06:24:16.697",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 2.1, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 3.9, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-11-10T16:15:08.757",
      "references": "[{\"url\": \"https://launchpad.support.sap.com/#/notes/3080106\", \"source\": \"cna@sap.com\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864\", \"source\": \"cna@sap.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://launchpad.support.sap.com/#/notes/3080106\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cna@sap.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cna@sap.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-522\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-522\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-40503\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2021-11-10T16:15:08.757\",\"lastModified\":\"2024-11-21T06:24:16.697\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An information disclosure vulnerability exists in SAP GUI for Windows - versions \u003c 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user\u2019s password. With this highly sensitive data leaked, the attacker would be able to logon to the backend system the SAP GUI for Windows was connected to and launch further attacks depending on the authorizations of the user.\"},{\"lang\":\"es\",\"value\":\"Se presenta una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en SAP GUI para Windows - versiones anteriores a 7.60 PL13, 7.70 PL4, que permite a un atacante con privilegios suficientes en el PC local del lado del cliente obtener un equivalente de la contrase\u00f1a del usuario. Con estos datos altamente confidenciales filtrados, el atacante podr\u00eda iniciar la sesi\u00f3n en el sistema backend al que estaba conectada la SAP GUI para Windows y lanzar otros ataques en funci\u00f3n de las autorizaciones del usuario\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":2.1,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.60\",\"matchCriteriaId\":\"603CB0D2-BEA4-4414-AE50-39F9A8E568F2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.60:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA071418-F2F0-4530-94C0-94D9295FED83\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E27CD53C-8CA1-4204-829D-3343AC4565B4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level10:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D89F8F8-929B-4D17-B921-CAB3CA2FD405\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level11:*:*:*:*:*:*\",\"matchCriteriaId\":\"41F78A30-CD1A-4F6D-85DF-26FAF4BCF3AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level12:*:*:*:*:*:*\",\"matchCriteriaId\":\"F9E07A43-B98A-4E56-B32D-CC6768AAA937\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level2:*:*:*:*:*:*\",\"matchCriteriaId\":\"1E0246DF-E354-4191-91DA-99880E1BD08A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level3:*:*:*:*:*:*\",\"matchCriteriaId\":\"140210E1-95C6-4EB5-A854-44E9EA03DD27\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level4:*:*:*:*:*:*\",\"matchCriteriaId\":\"0FD672D2-D67A-4576-8F9B-92177AF51151\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level5:*:*:*:*:*:*\",\"matchCriteriaId\":\"AE686D3C-E814-42D6-9F33-839763B53968\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level6:*:*:*:*:*:*\",\"matchCriteriaId\":\"711DE87F-72AA-4A6F-8F53-18758A195ED3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level7:*:*:*:*:*:*\",\"matchCriteriaId\":\"8E44C0EE-8ED0-42E8-81FB-7FE7FC9308E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level8:*:*:*:*:*:*\",\"matchCriteriaId\":\"98A928B5-F8AA-4CD0-A8A5-D4E04AB3856A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level8_hotfix1:*:*:*:*:*:*\",\"matchCriteriaId\":\"9415406D-32AF-41EB-A351-2DE0306657DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.60:patch_level9:*:*:*:*:*:*\",\"matchCriteriaId\":\"C7B83282-AD56-455F-9979-4F4D145F9798\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.70:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"FE1286F1-B9A5-4F25-B083-272943D90023\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.70:patch_level1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FF605CA1-E860-4185-A358-FE967E0DE408\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.70:patch_level2:*:*:*:*:*:*\",\"matchCriteriaId\":\"181183AC-5621-4895-82E1-E91D9DCAB69A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:gui_for_windows:7.70:patch_level3:*:*:*:*:*:*\",\"matchCriteriaId\":\"DD057E0A-C836-46ED-ACB3-1C80CECACD60\"}]}]}],\"references\":[{\"url\":\"https://launchpad.support.sap.com/#/notes/3080106\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://launchpad.support.sap.com/#/notes/3080106\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

GSD-2021-40503

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-40503

Aliases

CVE-2021-40503

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-40503",
    "description": "An information disclosure vulnerability exists in SAP GUI for Windows - versions \u003c 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user\u2019s password. With this highly sensitive data leaked, the attacker would be able to logon to the backend system the SAP GUI for Windows was connected to and launch further attacks depending on the authorizations of the user.",
    "id": "GSD-2021-40503"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-40503"
      ],
      "details": "An information disclosure vulnerability exists in SAP GUI for Windows - versions \u003c 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user\u2019s password. With this highly sensitive data leaked, the attacker would be able to logon to the backend system the SAP GUI for Windows was connected to and launch further attacks depending on the authorizations of the user.",
      "id": "GSD-2021-40503",
      "modified": "2023-12-13T01:23:25.670968Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@sap.com",
        "ID": "CVE-2021-40503",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "SAP GUI for Windows",
                    "version": {
                      "version_data": [
                        {
                          "version_name": "\u003c",
                          "version_value": "\u003c 7.60 PL13"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "\u003c 7.70 PL4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "SAP SE"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An information disclosure vulnerability exists in SAP GUI for Windows - versions \u003c 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user\u2019s password. With this highly sensitive data leaked, the attacker would be able to logon to the backend system the SAP GUI for Windows was connected to and launch further attacks depending on the authorizations of the user."
          }
        ]
      },
      "impact": {
        "cvss": {
          "baseScore": "null",
          "vectorString": "null",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-522"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864",
            "refsource": "MISC",
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
          },
          {
            "name": "https://launchpad.support.sap.com/#/notes/3080106",
            "refsource": "MISC",
            "url": "https://launchpad.support.sap.com/#/notes/3080106"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.60",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.60:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level10:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level11:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level12:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level5:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level6:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level7:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level8:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level8_hotfix1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level9:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.70:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.70:patch_level1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.70:patch_level2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.70:patch_level3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2021-40503"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An information disclosure vulnerability exists in SAP GUI for Windows - versions \u003c 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user\u2019s password. With this highly sensitive data leaked, the attacker would be able to logon to the backend system the SAP GUI for Windows was connected to and launch further attacks depending on the authorizations of the user."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-522"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://launchpad.support.sap.com/#/notes/3080106",
              "refsource": "MISC",
              "tags": [
                "Permissions Required",
                "Vendor Advisory"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3080106"
            },
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 2.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-11-29T16:37Z",
      "publishedDate": "2021-11-10T16:15Z"
    }
  }
}

CERTFR-2021-AVI-852

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits SAP. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP ABAP Platform Kernel versions - 7.77, 7.81, 7.85, 7.86
SAP	N/A	SAP Solution Manager et SAP Focused Run versions - 9.7, 10.1, 10.5, 10.7
SAP	N/A	SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions, SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105
SAP	N/A	SAP GUI pour Windows versions antérieures à 7.60 PL13 et versions 7.70 PL4
SAP	N/A	SAP NetWeaver AS pour ABAP et ABAP Platform versions - 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756
SAP	N/A	SAP Commerce versions - 2105.3, 2011.13, 2005.18, 1905.34
SAP	N/A	SAP ERP HCM Portugal versions - 600, 604, 608

References

Title

Publication Time

Tags

Bulletin de sécurité SAP 589496864 du 09 novembre 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP ABAP Platform Kernel versions - 7.77, 7.81, 7.85, 7.86",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Solution Manager et SAP Focused Run versions - 9.7, 10.1, 10.5, 10.7",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions, SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP GUI pour Windows versions ant\u00e9rieures \u00e0 7.60 PL13 et versions 7.70 PL4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS pour ABAP et ABAP Platform versions - 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Commerce versions - 2105.3, 2011.13, 2005.18, 1905.34",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP ERP HCM Portugal versions - 600, 604, 608",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-40504",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40504"
    },
    {
      "name": "CVE-2021-42062",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42062"
    },
    {
      "name": "CVE-2021-38164",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38164"
    },
    {
      "name": "CVE-2021-40501",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40501"
    },
    {
      "name": "CVE-2021-40502",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40502"
    },
    {
      "name": "CVE-2021-40503",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40503"
    },
    {
      "name": "CVE-2020-6369",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6369"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-852",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-11-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP.\nElles permettent \u00e0 un attaquant de provoquer un contournement de la\npolitique de s\u00e9curit\u00e9 et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP 589496864 du 09 novembre 2021",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
    }
  ]
}

CERTFR-2021-AVI-852

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP ABAP Platform Kernel versions - 7.77, 7.81, 7.85, 7.86
SAP	N/A	SAP Solution Manager et SAP Focused Run versions - 9.7, 10.1, 10.5, 10.7
SAP	N/A	SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions, SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105
SAP	N/A	SAP GUI pour Windows versions antérieures à 7.60 PL13 et versions 7.70 PL4
SAP	N/A	SAP NetWeaver AS pour ABAP et ABAP Platform versions - 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756
SAP	N/A	SAP Commerce versions - 2105.3, 2011.13, 2005.18, 1905.34
SAP	N/A	SAP ERP HCM Portugal versions - 600, 604, 608

References

Title

Publication Time

Tags

Bulletin de sécurité SAP 589496864 du 09 novembre 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP ABAP Platform Kernel versions - 7.77, 7.81, 7.85, 7.86",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Solution Manager et SAP Focused Run versions - 9.7, 10.1, 10.5, 10.7",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions, SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP GUI pour Windows versions ant\u00e9rieures \u00e0 7.60 PL13 et versions 7.70 PL4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS pour ABAP et ABAP Platform versions - 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Commerce versions - 2105.3, 2011.13, 2005.18, 1905.34",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP ERP HCM Portugal versions - 600, 604, 608",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-40504",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40504"
    },
    {
      "name": "CVE-2021-42062",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42062"
    },
    {
      "name": "CVE-2021-38164",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38164"
    },
    {
      "name": "CVE-2021-40501",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40501"
    },
    {
      "name": "CVE-2021-40502",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40502"
    },
    {
      "name": "CVE-2021-40503",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40503"
    },
    {
      "name": "CVE-2020-6369",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6369"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-852",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-11-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP.\nElles permettent \u00e0 un attaquant de provoquer un contournement de la\npolitique de s\u00e9curit\u00e9 et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP 589496864 du 09 novembre 2021",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
    }
  ]
}

FKIE_CVE-2021-40503

Vulnerability from fkie_nvd - Published: 2021-11-10 16:15 - Updated: 2024-11-21 06:24

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cna@sap.com	https://launchpad.support.sap.com/#/notes/3080106	Permissions Required, Vendor Advisory
cna@sap.com	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://launchpad.support.sap.com/#/notes/3080106	Permissions Required, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864	Vendor Advisory

Impacted products

Vendor	Product	Version
sap	gui_for_windows	*
sap	gui_for_windows	7.60
sap	gui_for_windows	7.60
sap	gui_for_windows	7.60
sap	gui_for_windows	7.60
sap	gui_for_windows	7.60
sap	gui_for_windows	7.60
sap	gui_for_windows	7.60
sap	gui_for_windows	7.60
sap	gui_for_windows	7.60
sap	gui_for_windows	7.60
sap	gui_for_windows	7.60
sap	gui_for_windows	7.60
sap	gui_for_windows	7.60
sap	gui_for_windows	7.60
sap	gui_for_windows	7.70
sap	gui_for_windows	7.70
sap	gui_for_windows	7.70
sap	gui_for_windows	7.70

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "603CB0D2-BEA4-4414-AE50-39F9A8E568F2",
              "versionEndExcluding": "7.60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.60:-:*:*:*:*:*:*",
              "matchCriteriaId": "FA071418-F2F0-4530-94C0-94D9295FED83",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level1:*:*:*:*:*:*",
              "matchCriteriaId": "E27CD53C-8CA1-4204-829D-3343AC4565B4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level10:*:*:*:*:*:*",
              "matchCriteriaId": "0D89F8F8-929B-4D17-B921-CAB3CA2FD405",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level11:*:*:*:*:*:*",
              "matchCriteriaId": "41F78A30-CD1A-4F6D-85DF-26FAF4BCF3AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level12:*:*:*:*:*:*",
              "matchCriteriaId": "F9E07A43-B98A-4E56-B32D-CC6768AAA937",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level2:*:*:*:*:*:*",
              "matchCriteriaId": "1E0246DF-E354-4191-91DA-99880E1BD08A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level3:*:*:*:*:*:*",
              "matchCriteriaId": "140210E1-95C6-4EB5-A854-44E9EA03DD27",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level4:*:*:*:*:*:*",
              "matchCriteriaId": "0FD672D2-D67A-4576-8F9B-92177AF51151",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level5:*:*:*:*:*:*",
              "matchCriteriaId": "AE686D3C-E814-42D6-9F33-839763B53968",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level6:*:*:*:*:*:*",
              "matchCriteriaId": "711DE87F-72AA-4A6F-8F53-18758A195ED3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level7:*:*:*:*:*:*",
              "matchCriteriaId": "8E44C0EE-8ED0-42E8-81FB-7FE7FC9308E7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level8:*:*:*:*:*:*",
              "matchCriteriaId": "98A928B5-F8AA-4CD0-A8A5-D4E04AB3856A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level8_hotfix1:*:*:*:*:*:*",
              "matchCriteriaId": "9415406D-32AF-41EB-A351-2DE0306657DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.60:patch_level9:*:*:*:*:*:*",
              "matchCriteriaId": "C7B83282-AD56-455F-9979-4F4D145F9798",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.70:-:*:*:*:*:*:*",
              "matchCriteriaId": "FE1286F1-B9A5-4F25-B083-272943D90023",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.70:patch_level1:*:*:*:*:*:*",
              "matchCriteriaId": "FF605CA1-E860-4185-A358-FE967E0DE408",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.70:patch_level2:*:*:*:*:*:*",
              "matchCriteriaId": "181183AC-5621-4895-82E1-E91D9DCAB69A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:gui_for_windows:7.70:patch_level3:*:*:*:*:*:*",
              "matchCriteriaId": "DD057E0A-C836-46ED-ACB3-1C80CECACD60",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An information disclosure vulnerability exists in SAP GUI for Windows - versions \u003c 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user\u2019s password. With this highly sensitive data leaked, the attacker would be able to logon to the backend system the SAP GUI for Windows was connected to and launch further attacks depending on the authorizations of the user."
    },
    {
      "lang": "es",
      "value": "Se presenta una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en SAP GUI para Windows - versiones anteriores a 7.60 PL13, 7.70 PL4, que permite a un atacante con privilegios suficientes en el PC local del lado del cliente obtener un equivalente de la contrase\u00f1a del usuario. Con estos datos altamente confidenciales filtrados, el atacante podr\u00eda iniciar la sesi\u00f3n en el sistema backend al que estaba conectada la SAP GUI para Windows y lanzar otros ataques en funci\u00f3n de las autorizaciones del usuario"
    }
  ],
  "id": "CVE-2021-40503",
  "lastModified": "2024-11-21T06:24:16.697",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 2.1,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-11-10T16:15:08.757",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3080106"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3080106"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-522"
        }
      ],
      "source": "cna@sap.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-522"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

GHSA-J8R9-MCXG-MJG4

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-40503"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-10T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "An information disclosure vulnerability exists in SAP GUI for Windows - versions \u003c 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user\u2019s password. With this highly sensitive data leaked, the attacker would be able to logon to the backend system the SAP GUI for Windows was connected to and launch further attacks depending on the authorizations of the user.",
  "id": "GHSA-j8r9-mcxg-mjg4",
  "modified": "2022-05-24T22:28:44Z",
  "published": "2022-05-24T22:28:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40503"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3080106"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-40503 (GCVE-0-2021-40503)

GSD-2021-40503

CERTFR-2021-AVI-852

Solution

CERTFR-2021-AVI-852

Solution

FKIE_CVE-2021-40503

GHSA-J8R9-MCXG-MJG4

Tags

Sightings

Nomenclature