CVE-2021-40503Insufficiently Protected Credentials in SE SAP GUI FOR Windows

CWE-522Insufficiently Protected CredentialsCWE-200Sensitive Information Exposure3 documents3 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 87.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP GUI FOR WindowsSAP GUI FOR Windows
Timeline
PublishedNov 10
Latest updateMay 24

Description

An information disclosure vulnerability exists in SAP GUI for Windows - versions < 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user’s password. With this highly sensitive data leaked, the attacker would be able to logon to the backend system the SAP GUI for Windows was connected to and launch further attacks depending on the authorizations of the user.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5sap_se/sap_gui_for_windows< 7.60 PL13+1
NVDsap/gui< 7.60+2

🔴Vulnerability Details

2
GHSA
GHSA-j8r9-mcxg-mjg4: An information disclosure vulnerability exists in SAP GUI for Windows - versions < 72022-05-24
CVEList
CVE-2021-40503: An information disclosure vulnerability exists in SAP GUI for Windows - versions < 72021-11-10
CVE-2021-40503 — Insufficiently Protected Credentials | cvebase