CVE-2021-27602

CWE-94Code Injection3 documents3 sources
Severity
9.9CRITICAL
EPSS
1.9%
top 16.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP CommerceSAP Commerce
Timeline
PublishedApr 13
Latest updateMay 24

Description

SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages2 packages

CVEListV5sap_se/sap_commerce< 1808+4
NVDsap/commerce5 versions+4

🔴Vulnerability Details

2
GHSA
GHSA-cpjq-97hc-mc3c: SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are transla2022-05-24
CVEList
CVE-2021-27602: SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are transla2021-04-13
CVE-2021-27602 (CRITICAL CVSS 9.9) | SAP Commerce | cvebase.io