CVE-2021-38176 — SQL Injection in SE SAP Landscape Transformation

CWE-89 — SQL Injection CWE-20 — Improper Input Validation3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.7%

top 27.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Landscape Transformation SAP SE SAP LT Replication Server SAP SE SAP Ltrs FOR S 4hana +6 more

Timeline

PublishedSep 14

Latest updateMay 24

Description

Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages9 packages

▶CVEListV5sap_se/sap_s_4hana< 1511+6

▶CVEListV5sap_se/sap_ltrs_for_s_4hana< 1.0

▶CVEListV5sap_se/sap_lt_replication_server< 2.0+1

▶CVEListV5sap_se/sap_landscape_transformation< 2.0

▶CVEListV5sap_se/sap_test_data_migration_server< 4.0

🔴Vulnerability Details

GHSA

GHSA-4qx6-hc3f-6gj9: Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution↗2022-05-24

▶

CVEList

CVE-2021-38176: Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution↗2021-09-14

▶