FKIE_CVE-2021-21468

Vulnerability from fkie_nvd - Published: 2021-01-12 15:15 - Updated: 2026-06-17 03:35
Severity
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
The BW Database Interface does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges that allows the user to practically read out any database table.
References
cna@sap.comhttp://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.htmlExploit, Third Party Advisory, VDB Entry
cna@sap.comhttp://seclists.org/fulldisclosure/2022/May/42Exploit, Mailing List, Third Party Advisory
cna@sap.comhttps://launchpad.support.sap.com/#/notes/2986980Permissions Required, Vendor Advisory
cna@sap.comhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.htmlExploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2022/May/42Exploit, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://launchpad.support.sap.com/#/notes/2986980Permissions Required, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476Vendor Advisory
Impacted products
Vendor Product Version
sap business_warehouse 710
sap business_warehouse 711
sap business_warehouse 730
sap business_warehouse 731
sap business_warehouse 740
sap business_warehouse 750
sap business_warehouse 751
sap business_warehouse 752
sap business_warehouse 753
sap business_warehouse 754
sap business_warehouse 755
sap business_warehouse 782
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "SAP Business Warehouse",
          "vendor": "SAP SE",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 710"
            },
            {
              "status": "affected",
              "version": "\u003c 711"
            },
            {
              "status": "affected",
              "version": "\u003c 730"
            },
            {
              "status": "affected",
              "version": "\u003c 731"
            },
            {
              "status": "affected",
              "version": "\u003c 740"
            },
            {
              "status": "affected",
              "version": "\u003c 750"
            },
            {
              "status": "affected",
              "version": "\u003c 751"
            },
            {
              "status": "affected",
              "version": "\u003c 752"
            },
            {
              "status": "affected",
              "version": "\u003c 753"
            },
            {
              "status": "affected",
              "version": "\u003c 754"
            },
            {
              "status": "affected",
              "version": "\u003c 755"
            },
            {
              "status": "affected",
              "version": "\u003c 782"
            }
          ]
        }
      ],
      "source": "cna@sap.com"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:business_warehouse:710:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7FAC6A3-1ADF-48F2-971B-5ADF9F101583",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:business_warehouse:711:*:*:*:*:*:*:*",
              "matchCriteriaId": "11DE777B-AA53-4A6B-AD6E-5DCEEAC217AA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:business_warehouse:730:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF8F2CE3-BA4B-4A9C-A284-87F0AB797B92",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:business_warehouse:731:*:*:*:*:*:*:*",
              "matchCriteriaId": "00732AD2-BEED-4C1F-AC39-46E6F33CBB5E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:business_warehouse:740:*:*:*:*:*:*:*",
              "matchCriteriaId": "EC7DABAD-36FA-49D7-8C3C-3AA49604BE37",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:business_warehouse:750:*:*:*:*:*:*:*",
              "matchCriteriaId": "526C11C6-B67D-49F1-94E6-A324AA581EDD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:business_warehouse:751:*:*:*:*:*:*:*",
              "matchCriteriaId": "4A4E38AC-5888-4ABD-AAB1-BC5312701195",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:business_warehouse:752:*:*:*:*:*:*:*",
              "matchCriteriaId": "8D7A93A1-3D65-4C79-92B1-E433EE443478",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:business_warehouse:753:*:*:*:*:*:*:*",
              "matchCriteriaId": "80E03381-893C-4646-9150-303AB4F6144B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:business_warehouse:754:*:*:*:*:*:*:*",
              "matchCriteriaId": "1400B8E5-8400-420A-8581-9F3B07EF6BF4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:business_warehouse:755:*:*:*:*:*:*:*",
              "matchCriteriaId": "2ABE173B-C66E-4A69-9735-E325C0DAC062",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:business_warehouse:782:*:*:*:*:*:*:*",
              "matchCriteriaId": "929A4FB3-BEEF-4A69-B77C-FD1A0B3C7DFF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The BW Database Interface does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges that allows the user to practically read out any database table."
    },
    {
      "lang": "es",
      "value": "La interfaz de Base de Datos de BW no lleva a cabo las comprobaciones de autorizaci\u00f3n necesarias para un usuario autenticado, resultando en una escalada de privilegios que permite al usuario leer pr\u00e1cticamente cualquier tabla de la base de datos"
    }
  ],
  "id": "CVE-2021-21468",
  "lastModified": "2026-06-17T03:35:37.933",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "cna@sap.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-01-12T15:15:16.093",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2022/May/42"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/2986980"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2022/May/42"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/2986980"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.