CVE-2021-38164Missing Authorization in SE SAP ERP Financial Accounting

CWE-862Missing Authorization3 documents3 sources
Severity
5.4MEDIUMNVD
EPSS
0.1%
top 67.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP ERP Financial AccountingSAP ERP Financial Accounting
Timeline
PublishedSep 14
Latest updateMay 24

Description

SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105, allows a registered attacker to invoke certain functions that would otherwise be restricted to specific users. These functions are normally exposed over the network and once exploited the attacker may be able to view and modify financial accounting data that only a specific user should have access to.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

CVEListV5sap_se/sap_erp_financial_accounting< SAP_APPL - 600+19
NVDsap/erp_financial_accounting20 versions+19

🔴Vulnerability Details

2
GHSA
GHSA-hfg4-62f6-fjff: SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE -2022-05-24
CVEList
CVE-2021-38164: SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE -2021-09-14
CVE-2021-38164 — Missing Authorization | cvebase