CVE-2021-38176
Last modified
CVE-2021-38176 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.. EPSS estimates a 1.23% chance of exploitation in the next 30 days.
Description
Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Sap | Landscape Transformation | 2.0 |
| Sap | Landscape Transformation Replication Server | 1.0 |
| Sap | Landscape Transformation Replication Server | 2.0 |
| Sap | Landscape Transformation Replication Server | 3.0 |
| Sap | S\/4hana | 1511 |
| Sap | S\/4hana | 1610 |
| Sap | S\/4hana | 1709 |
| Sap | S\/4hana | 1809 |
| Sap | S\/4hana | 1909 |
| Sap | S\/4hana | 2020 |
| Sap | S\/4hana | 2021 |
| Sap | Test Data Migration Server | 4.0 |
References
- https://launchpad.support.sap.com/#/notes/3089831Permissions Required
- https://launchpad.support.sap.com/#/notes/3089831Permissions Required
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-38176?
How severe is CVE-2021-38176?
How do I fix CVE-2021-38176?
Are you affected by CVE-2021-38176?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST