fkie_cve-2021-21481
Vulnerability from fkie_nvd
Published
2021-03-09 15:15
Modified
2024-11-21 05:48
Severity ?
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check. This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges. This could result in complete compromise of system confidentiality, integrity, and availability.
References
cna@sap.comhttps://launchpad.support.sap.com/#/notes/3022422Permissions Required, Vendor Advisory
cna@sap.comhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://launchpad.support.sap.com/#/notes/3022422Permissions Required, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107Vendor Advisory
Impacted products
Vendor Product Version
sap netweaver 7.10
sap netweaver 7.11
sap netweaver 7.20
sap netweaver 7.30
sap netweaver 7.31
sap netweaver 7.40
sap netweaver 7.50


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:netweaver:7.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "EDFFDB95-B956-4B22-81F4-A4074D49D4A8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver:7.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "21A3F6A8-B060-48CE-841F-698F8F779191",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver:7.20:*:*:*:*:*:*:*",
              "matchCriteriaId": "53B11A3B-C559-428C-8946-7FD9FFBFA1BC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver:7.30:*:*:*:*:*:*:*",
              "matchCriteriaId": "606EFE4F-57A4-44E2-A98D-F0867A658218",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver:7.31:*:*:*:*:*:*:*",
              "matchCriteriaId": "FECD5E96-7669-4747-80D2-27F95BF420BC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver:7.40:*:*:*:*:*:*:*",
              "matchCriteriaId": "F019F7F5-7740-4BD4-850F-D7A1923C6200",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver:7.50:*:*:*:*:*:*:*",
              "matchCriteriaId": "F2B37045-2FB7-49BB-AE38-B84FAA6ADFB0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check. This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges. This could result in complete compromise of system confidentiality, integrity, and availability."
    },
    {
      "lang": "es",
      "value": "MigrationService, que forma parte de SAP NetWeaver versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no lleva a cabo una comprobaci\u00f3n de autorizaci\u00f3n.\u0026#xa0;Esto podr\u00eda permitir a un atacante no autorizado acceder a los objetos de configuraci\u00f3n, incluyendo los que otorgan privilegios administrativos.\u0026#xa0;Esto podr\u00eda resultar en un compromiso total de la confidencialidad, integridad y disponibilidad del sistema"
    }
  ],
  "id": "CVE-2021-21481",
  "lastModified": "2024-11-21T05:48:27.593",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "ADJACENT_NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 8.3,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 6.5,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.6,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 6.0,
        "source": "cna@sap.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-03-09T15:15:14.787",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3022422"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3022422"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.