CVE-2021-38176

CVSS 9.9 CRITICALEPSS 1.2%

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.9EPSS 1.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

14 Sep 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products

SAP SE · SAP Landscape Transformation SAP SE · SAP LT Replication Server SAP SE · SAP LTRS for S/4HANA SAP SE · SAP S/4HANA SAP SE · SAP Test Data Migration Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://launchpad.support.sap.com/#/notes/3089831 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405