cnvd - cnvd-2021-47705

CNVD-2021-47705

Vulnerability from cnvd - Published: 2021-07-06

Title

SAP NetWeaver AS for ABAP跨站脚本漏洞

Description

SAP Netweaver是德国思爱普（SAP）公司的一套面向服务的集成化应用平台。该平台主要为SAP应用程序提供开发和运行环境。 SAP NetWeaver AS for ABAP存在跨站脚本漏洞，攻击者可利用该漏洞访问与当前会话相关的数据，并使用该会话冒充用户访问与目标用户具有相同权限的所有信息。

Severity

中

Patch Name

SAP NetWeaver AS for ABAP跨站脚本漏洞的补丁

Patch Description

SAP Netweaver是德国思爱普（SAP）公司的一套面向服务的集成化应用平台。该平台主要为SAP应用程序提供开发和运行环境。 SAP NetWeaver AS for ABAP存在跨站脚本漏洞，攻击者可利用该漏洞访问与当前会话相关的数据，并使用该会话冒充用户访问与目标用户具有相同权限的所有信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序,请及时关注更新： https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-21490

Impacted products

Name
['SAP NetWeaver AS for ABAP（Web Survey） 700', 'SAP NetWeaver AS for ABAP（Web Survey） 702', 'SAP NetWeaver AS for ABAP（Web Survey） 710', 'SAP NetWeaver AS for ABAP（Web Survey） 711', 'SAP NetWeaver AS for ABAP（Web Survey） 730', 'SAP NetWeaver AS for ABAP（Web Survey） 731', 'SAP NetWeaver AS for ABAP（Web Survey） 750', 'SAP NetWeaver AS for ABAP（Web Survey） 752', 'SAP NetWeaver AS for ABAP（Web Survey） 75A', 'SAP NetWeaver AS for ABAP（Web Survey） 75F']

Name

['SAP NetWeaver AS for ABAP（Web Survey） 700', 'SAP NetWeaver AS for ABAP（Web Survey） 702', 'SAP NetWeaver AS for ABAP（Web Survey） 710', 'SAP NetWeaver AS for ABAP（Web Survey） 711', 'SAP NetWeaver AS for ABAP（Web Survey） 730', 'SAP NetWeaver AS for ABAP（Web Survey） 731', 'SAP NetWeaver AS for ABAP（Web Survey） 750', 'SAP NetWeaver AS for ABAP（Web Survey） 752', 'SAP NetWeaver AS for ABAP（Web Survey） 75A', 'SAP NetWeaver AS for ABAP（Web Survey） 75F']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-21490",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-21490"
    }
  },
  "description": "SAP Netweaver\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u9762\u5411\u670d\u52a1\u7684\u96c6\u6210\u5316\u5e94\u7528\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u4e3aSAP\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u5f00\u53d1\u548c\u8fd0\u884c\u73af\u5883\u3002\n\nSAP NetWeaver AS for ABAP\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u4e0e\u5f53\u524d\u4f1a\u8bdd\u76f8\u5173\u7684\u6570\u636e\uff0c\u5e76\u4f7f\u7528\u8be5\u4f1a\u8bdd\u5192\u5145\u7528\u6237\u8bbf\u95ee\u4e0e\u76ee\u6807\u7528\u6237\u5177\u6709\u76f8\u540c\u6743\u9650\u7684\u6240\u6709\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f,\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-47705",
  "openTime": "2021-07-06",
  "patchDescription": "SAP Netweaver\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u9762\u5411\u670d\u52a1\u7684\u96c6\u6210\u5316\u5e94\u7528\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u4e3aSAP\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u5f00\u53d1\u548c\u8fd0\u884c\u73af\u5883\u3002\r\n\r\nSAP NetWeaver AS for ABAP\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u4e0e\u5f53\u524d\u4f1a\u8bdd\u76f8\u5173\u7684\u6570\u636e\uff0c\u5e76\u4f7f\u7528\u8be5\u4f1a\u8bdd\u5192\u5145\u7528\u6237\u8bbf\u95ee\u4e0e\u76ee\u6807\u7528\u6237\u5177\u6709\u76f8\u540c\u6743\u9650\u7684\u6240\u6709\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP NetWeaver AS for ABAP\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 700",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 702",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 710",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 711",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 730",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 731",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 750",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 752",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 75A",
      "SAP NetWeaver AS for ABAP\uff08Web Survey\uff09 75F"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-21490",
  "serverity": "\u4e2d",
  "submitTime": "2021-06-11",
  "title": "SAP NetWeaver AS for ABAP\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2021-21490 (GCVE-0-2021-21490)

Vulnerability from cvelistv5 – Published: 2021-06-09 13:23 – Updated: 2024-08-03 18:16

Summary

SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

Cross Site Scripting

Assigner

sap

References

URL

Tags

	https://launchpad.support.sap.com/#/notes/3004043	x_refsource_MISC
	https://wiki.scn.sap.com/wiki/pages/viewpage.acti…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	SAP SE	SAP NetWeaver AS for ABAP (Web Survey)	Affected: < 700 Affected: < 702 Affected: < 710 Affected: < 711 Affected: < 730 Affected: < 731 Affected: < 750 Affected: < 752 Affected: < 75A Affected: < 75F

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:16:22.657Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://launchpad.support.sap.com/#/notes/3004043"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SAP NetWeaver AS for ABAP (Web Survey)",
          "vendor": "SAP SE",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 700"
            },
            {
              "status": "affected",
              "version": "\u003c 702"
            },
            {
              "status": "affected",
              "version": "\u003c 710"
            },
            {
              "status": "affected",
              "version": "\u003c 711"
            },
            {
              "status": "affected",
              "version": "\u003c 730"
            },
            {
              "status": "affected",
              "version": "\u003c 731"
            },
            {
              "status": "affected",
              "version": "\u003c 750"
            },
            {
              "status": "affected",
              "version": "\u003c 752"
            },
            {
              "status": "affected",
              "version": "\u003c 75A"
            },
            {
              "status": "affected",
              "version": "\u003c 75F"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross Site Scripting",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-09T13:23:40",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://launchpad.support.sap.com/#/notes/3004043"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2021-21490",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SAP NetWeaver AS for ABAP (Web Survey)",
                      "version": {
                        "version_data": [
                          {
                            "version_name": "\u003c",
                            "version_value": "700"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "702"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "710"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "711"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "730"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "731"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "750"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "750"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "752"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "75A"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "75F"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SAP SE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "6.1",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross Site Scripting"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://launchpad.support.sap.com/#/notes/3004043",
              "refsource": "MISC",
              "url": "https://launchpad.support.sap.com/#/notes/3004043"
            },
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999",
              "refsource": "MISC",
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2021-21490",
    "datePublished": "2021-06-09T13:23:40",
    "dateReserved": "2020-12-30T00:00:00",
    "dateUpdated": "2024-08-03T18:16:22.657Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-47705

CVE-2021-21490 (GCVE-0-2021-21490)

Tags

Sightings

Nomenclature