CVE-2021-21477Code Injection in SE SAP Commerce

CWE-94Code Injection3 documents3 sources
Severity
9.9CRITICALNVD
EPSS
1.0%
top 23.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP CommerceSAP Commerce
Timeline
PublishedFeb 9
Latest updateMay 24

Description

SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host enabling him to impair confidentiality, integrity and availability of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages2 packages

CVEListV5sap_se/sap_commerce< 1808+4
NVDsap/commerce5 versions+4

🔴Vulnerability Details

2
GHSA
GHSA-jg2g-jq85-v7jw: SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacke2022-05-24
CVEList
CVE-2021-21477: SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacke2021-02-09
CVE-2021-21477 — Code Injection in SAP SE SAP Commerce | cvebase