FKIE_CVE-2021-38164

Vulnerability from fkie_nvd - Published: 2021-09-14 12:15 - Updated: 2024-11-21 06:16
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105, allows a registered attacker to invoke certain functions that would otherwise be restricted to specific users. These functions are normally exposed over the network and once exploited the attacker may be able to view and modify financial accounting data that only a specific user should have access to.
References
cna@sap.comhttps://launchpad.support.sap.com/#/notes/3068582Permissions Required
cna@sap.comhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://launchpad.support.sap.com/#/notes/3068582Permissions Required
af854a3a-2127-422b-91ae-364da2661108https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405Vendor Advisory
Impacted products
Vendor Product Version
sap erp_financial_accounting 100
sap erp_financial_accounting 101
sap erp_financial_accounting 102
sap erp_financial_accounting 103
sap erp_financial_accounting 104
sap erp_financial_accounting 105
sap erp_financial_accounting 602
sap erp_financial_accounting 603
sap erp_financial_accounting 604
sap erp_financial_accounting 605
sap erp_financial_accounting 606
sap erp_financial_accounting 616
sap erp_financial_accounting 618
sap erp_financial_accounting 700
sap erp_financial_accounting 720
sap erp_financial_accounting 730
sap erp_financial_accounting s4core
sap erp_financial_accounting sap_appl_-_600
sap erp_financial_accounting sap_fin_-_617
sap erp_financial_accounting sapscore_-_125
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:100:*:*:*:*:*:*:*",
              "matchCriteriaId": "1B5FED0E-F340-413A-B047-1CD17E912505",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:101:*:*:*:*:*:*:*",
              "matchCriteriaId": "E6C0BF45-AADF-4CBD-ABC0-0D23AFD63BAD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:102:*:*:*:*:*:*:*",
              "matchCriteriaId": "1BA76D68-91A6-43F2-A812-FB33879B5F8B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:103:*:*:*:*:*:*:*",
              "matchCriteriaId": "7C4A9B55-E8E4-4B6E-B76A-FD7BA1E00A6B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:104:*:*:*:*:*:*:*",
              "matchCriteriaId": "0743B7E3-325C-46C0-8466-AD6EAB89DEBA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:105:*:*:*:*:*:*:*",
              "matchCriteriaId": "23B4086D-C7DB-4B88-8FCE-D95A4BE68854",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:602:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F697EDC-D24F-46F8-AFE8-6F0FFA780279",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:603:*:*:*:*:*:*:*",
              "matchCriteriaId": "62485182-31FF-4DB6-8DF0-20405D859E23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:604:*:*:*:*:*:*:*",
              "matchCriteriaId": "64A6C2AC-2A12-4143-A46B-8EDE8D9B612D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:605:*:*:*:*:*:*:*",
              "matchCriteriaId": "60F84DC8-664D-4B27-8440-43C4F5C21033",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:606:*:*:*:*:*:*:*",
              "matchCriteriaId": "853990B2-777E-4A6E-A85E-053891A04015",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:616:*:*:*:*:*:*:*",
              "matchCriteriaId": "5A7C3205-BBA6-4C28-B4CE-740829D3A98C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:618:*:*:*:*:*:*:*",
              "matchCriteriaId": "B3C2AF1E-8905-4039-8376-3BB81F2E0245",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:700:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB2789AF-3FAE-467A-9296-B33CD953231E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:720:*:*:*:*:*:*:*",
              "matchCriteriaId": "D9F9A4B4-B1CC-462D-9A04-328C067CBEE2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:730:*:*:*:*:*:*:*",
              "matchCriteriaId": "98A55DFC-B5B1-4EA3-9E71-2BC5696E3A02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:s4core:*:*:*:*:*:*:*",
              "matchCriteriaId": "41BA91BC-778C-403F-BDD8-24321E834AE4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:sap_appl_-_600:*:*:*:*:*:*:*",
              "matchCriteriaId": "93B22960-628F-484D-8442-E378D491817E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:sap_fin_-_617:*:*:*:*:*:*:*",
              "matchCriteriaId": "35A552DC-87FF-4781-A613-621B4DA27721",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_financial_accounting:sapscore_-_125:*:*:*:*:*:*:*",
              "matchCriteriaId": "618D82D7-3DF6-4932-A2C7-82F34A12EE86",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105, allows a registered attacker to invoke certain functions that would otherwise be restricted to specific users. These functions are normally exposed over the network and once exploited the attacker may be able to view and modify financial accounting data that only a specific user should have access to."
    },
    {
      "lang": "es",
      "value": "SAP ERP Financial Accounting (RFOPENPOSTING_FR) versiones - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105, permiten a un atacante registrado invocar determinadas funciones que de otro modo estar\u00edan restringidas a usuarios espec\u00edficos. Estas funciones suelen estar expuestas a trav\u00e9s de la red y, una vez explotadas, el atacante puede ser capaz de visualizar y modificar datos de contabilidad financiera a los que s\u00f3lo deber\u00eda tener acceso un usuario espec\u00edfico"
    }
  ],
  "id": "CVE-2021-38164",
  "lastModified": "2024-11-21T06:16:32.037",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "cna@sap.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-09-14T12:15:10.963",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3068582"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3068582"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "cna@sap.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.