CVE-2021-21486 — Missing Authorization in SE SAP Enterprise Financial Services

CWE-862 — Missing Authorization3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 65.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Enterprise Financial Services SAP Enterprise Financial Services

Timeline

PublishedMar 9

Latest updateMay 24

Description

SAP Enterprise Financial Services versions, 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5sap_se/sap_enterprise_financial_services< 101+13

▶NVDsap/enterprise_financial_services14 versions+13

🔴Vulnerability Details

GHSA

GHSA-6g9h-vg2g-h3mq: SAP Enterprise Financial Services versions, 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800, does not perform necessary authoriza↗2022-05-24

▶

CVEList

CVE-2021-21486: SAP Enterprise Financial Services versions, 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800, does not perform necessary authoriza↗2021-03-09

▶