FKIE_CVE-2021-27610

Vulnerability from fkie_nvd - Published: 2021-06-16 15:15 - Updated: 2024-11-21 05:58
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system.
References
cna@sap.comhttps://launchpad.support.sap.com/#/notes/3007182Permissions Required, Vendor Advisory
cna@sap.comhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://launchpad.support.sap.com/#/notes/3007182Permissions Required, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999Vendor Advisory
Impacted products
Vendor Product Version
sap netweaver_abap 700
sap netweaver_abap 701
sap netweaver_abap 702
sap netweaver_abap 731
sap netweaver_abap 740
sap netweaver_abap 750
sap netweaver_abap 751
sap netweaver_abap 752
sap netweaver_abap 753
sap netweaver_abap 754
sap netweaver_abap 755
sap netweaver_abap 804
sap netweaver_application_server_abap 700
sap netweaver_application_server_abap 701
sap netweaver_application_server_abap 702
sap netweaver_application_server_abap 731
sap netweaver_application_server_abap 740
sap netweaver_application_server_abap 750
sap netweaver_application_server_abap 751
sap netweaver_application_server_abap 752
sap netweaver_application_server_abap 753
sap netweaver_application_server_abap 754
sap netweaver_application_server_abap 755
sap netweaver_application_server_abap 804
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:netweaver_abap:700:*:*:*:*:*:*:*",
              "matchCriteriaId": "E0DA7CC6-A0F6-4839-965D-C60F691496AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_abap:701:*:*:*:*:*:*:*",
              "matchCriteriaId": "6497854E-9C7B-4DAF-ADC6-F26523BB7D47",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_abap:702:*:*:*:*:*:*:*",
              "matchCriteriaId": "FFC58754-3A9D-4320-AB4F-385FB72608E7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_abap:731:*:*:*:*:*:*:*",
              "matchCriteriaId": "5B8A73A5-4526-40E1-A540-0A6C3F93DA05",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_abap:740:*:*:*:*:*:*:*",
              "matchCriteriaId": "09A38B6E-03DC-4086-A307-542B35814E0E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_abap:750:*:*:*:*:*:*:*",
              "matchCriteriaId": "4651257F-7BFC-41AE-8E37-8C96F822CE58",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_abap:751:*:*:*:*:*:*:*",
              "matchCriteriaId": "EECB438D-D5CD-4483-934F-4C814A725A35",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_abap:752:*:*:*:*:*:*:*",
              "matchCriteriaId": "14A1CD95-14E1-438A-92FB-A0E47A88C59F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_abap:753:*:*:*:*:*:*:*",
              "matchCriteriaId": "4148303B-133A-4FD2-B546-DD86C5D0E7C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_abap:754:*:*:*:*:*:*:*",
              "matchCriteriaId": "E51EF6BC-4C1C-4F1B-9873-D571BE3788F5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_abap:755:*:*:*:*:*:*:*",
              "matchCriteriaId": "424A3D68-0825-4A2C-BEB1-DC9A212A5E42",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_abap:804:*:*:*:*:*:*:*",
              "matchCriteriaId": "5EFD3BCC-9B3E-49F2-B469-C465381303B4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*",
              "matchCriteriaId": "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*",
              "matchCriteriaId": "98B2522A-B850-4EC2-B2F2-5EBF36801B39",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*",
              "matchCriteriaId": "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*",
              "matchCriteriaId": "5CC29738-CF17-4E6B-9C9E-879B17F7E001",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*",
              "matchCriteriaId": "127E508F-6CC1-41C8-96DF-8D14FFDD4020",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*",
              "matchCriteriaId": "7777AA80-1608-420E-B7D5-09ABECD51728",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*",
              "matchCriteriaId": "0539618A-1C4D-463F-B2BB-DD1C239C23EB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*",
              "matchCriteriaId": "62828DCD-F80E-4C7C-A988-EFEA06A5223E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*",
              "matchCriteriaId": "D9F38585-73AE-4DBB-A978-F0272DF8FB58",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*",
              "matchCriteriaId": "D416C064-BB8A-4230-A761-84A93E017F79",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*",
              "matchCriteriaId": "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:804:*:*:*:*:*:*:*",
              "matchCriteriaId": "2132C1C0-AD61-4C85-BA07-523206815A4D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system."
    },
    {
      "lang": "es",
      "value": "SAP NetWeaver ABAP Server y ABAP Platform, versiones - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, no crea informaci\u00f3n sobre el usuario RFC interno y externo en un formato consistente y distinguible, lo que podr\u00eda conllevar a una autenticaci\u00f3n inapropiada y podr\u00eda ser explotado por usuarios maliciosos para obtener acceso ileg\u00edtimo al sistema"
    }
  ],
  "id": "CVE-2021-27610",
  "lastModified": "2024-11-21T05:58:17.543",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 6.0,
        "source": "cna@sap.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-06-16T15:15:08.363",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3007182"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3007182"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.