VDB
CVE-2021-21465
CVE-2021-21465
PUBLISHED
CVSS 9.899999618530273 CRITICAL
The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database. An attacker can include their own SQL commands which the database will execute without properly sanitizing the untrusted data leading to SQL injection vulnerability which can fully compromise the affected SAP system.
EPSS 1.43% · 81.0th percentile
Risk Scores
CVSS 3.0
9.899999618530273
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score
1.43%
81.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| SAP SE | SAP Business Warehouse | < 710, < 711, < 730 |
| sap | business_warehouse | 731, 740, 750 |
Exploit Intelligence
- http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html (nist-nvd)
- http://seclists.org/fulldisclosure/2022/May/42 (nist-nvd)
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476 (circl)
- https://launchpad.support.sap.com/#/notes/2986980 (circl)
Timeline
- Jan 12, 2021 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Mar 11, 2023 EPSS Score
References
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476 advisory
- https://launchpad.support.sap.com/#/notes/2986980 url
- 20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components) mailing-list
- http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html url
- https://nvd.nist.gov/vuln/detail/CVE-2021-21465 advisory
- https://i7p.wdf.sap.corp/sap/support/notes/2986980 url