CVE-2021-40504 — Incorrect Authorization in SE SAP Netweaver AS FOR Abap AND Abap Platform

CWE-863 — Incorrect Authorization3 documents3 sources

Severity

4.9MEDIUMNVD

EPSS

0.1%

top 71.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver AS FOR Abap AND Abap Platform SAP Netweaver Application Server Abap

Timeline

PublishedNov 10

Latest updateMay 24

Description

A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_as_for_abap_and_abap_platform< 700+14

▶NVDsap/netweaver_application15 versions+14

🔴Vulnerability Details

GHSA

GHSA-jpqf-f2v3-px9w: A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 75↗2022-05-24

▶

CVEList

CVE-2021-40504: A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 75↗2021-11-10

▶