CVE-2021-40501 - Vulnerability Details - OpenCVE

SAP ABAP Platform Kernel - versions 7.77, 7.81, 7.85, 7.86, does not perform necessary authorization checks for an authenticated business user, resulting in escalation of privileges. That means this business user is able to read and modify data beyond the vulnerable system. However, the attacker can neither significantly reduce the performance of the system nor stop the system.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Abap Platform Kernel

Configuration 1 [-]

OR	cpe:2.3:a:sap:abap_platform_kernel:7.77:::::::*
	cpe:2.3:a:sap:abap_platform_kernel:7.81:::::::*
	cpe:2.3:a:sap:abap_platform_kernel:7.85:::::::*
	cpe:2.3:a:sap:abap_platform_kernel:7.86:::::::*

No data.

References

Link	Providers
https://launchpad.support.sap.com/#/notes/3099776
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864

History

No history.

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2021-11-10T15:22:15

Updated: 2024-08-04T02:44:10.848Z

Reserved: 2021-09-03T00:00:00

Link: CVE-2021-40501

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-11-10T16:15:08.517

Modified: 2024-11-21T06:24:16.423

Link: CVE-2021-40501

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SAP ABAP Platform Kernel", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 7.77"}, {"status": "affected", "version": "< 7.81"}, {"status": "affected", "version": "< 7.85"}, {"status": "affected", "version": "< 7.86"}]}], "descriptions": [{"lang": "en", "value": "SAP ABAP Platform Kernel - versions 7.77, 7.81, 7.85, 7.86, does not perform necessary authorization checks for an authenticated business user, resulting in escalation of privileges. That means this business user is able to read and modify data beyond the vulnerable system. However, the attacker can neither significantly reduce the performance of the system nor stop the system."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-10T15:22:15", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/3099776"}, {"tags": ["x_refsource_MISC"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2021-40501", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP ABAP Platform Kernel", "version": {"version_data": [{"version_name": "<", "version_value": "7.77"}, {"version_name": "<", "version_value": "7.81"}, {"version_name": "<", "version_value": "7.85"}, {"version_name": "<", "version_value": "7.86"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SAP ABAP Platform Kernel - versions 7.77, 7.81, 7.85, 7.86, does not perform necessary authorization checks for an authenticated business user, resulting in escalation of privileges. That means this business user is able to read and modify data beyond the vulnerable system. However, the attacker can neither significantly reduce the performance of the system nor stop the system."}]}, "impact": {"cvss": {"baseScore": "null", "vectorString": "null", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-862"}]}]}, "references": {"reference_data": [{"name": "https://launchpad.support.sap.com/#/notes/3099776", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/3099776"}, {"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864", "refsource": "MISC", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:44:10.848Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/3099776"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"}]}]}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2021-40501", "datePublished": "2021-11-10T15:22:15", "dateReserved": "2021-09-03T00:00:00", "dateUpdated": "2024-08-04T02:44:10.848Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:abap_platform_kernel:7.77:*:*:*:*:*:*:*", "matchCriteriaId": "36BD4905-9BAE-4AAA-9840-48200191430D", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:abap_platform_kernel:7.81:*:*:*:*:*:*:*", "matchCriteriaId": "03CA5653-5E5C-4E9A-B840-65EA3ECEB19E", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:abap_platform_kernel:7.85:*:*:*:*:*:*:*", "matchCriteriaId": "F6B284F5-7F46-4764-8B24-8D4C88E211B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:abap_platform_kernel:7.86:*:*:*:*:*:*:*", "matchCriteriaId": "04ABF1B3-420D-4181-90B6-A147B35E4112", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SAP ABAP Platform Kernel - versions 7.77, 7.81, 7.85, 7.86, does not perform necessary authorization checks for an authenticated business user, resulting in escalation of privileges. That means this business user is able to read and modify data beyond the vulnerable system. However, the attacker can neither significantly reduce the performance of the system nor stop the system."}, {"lang": "es", "value": "SAP ABAP Platform Kernel - versiones 7.77, 7.81, 7.85, 7.86, no lleva a cabo las comprobaciones de autorizaci\u00f3n necesarias para un usuario empresarial autenticado, resultando en una escalada de privilegios. Esto significa que este usuario empresarial es capaz de leer y modificar datos m\u00e1s all\u00e1 del sistema vulnerable. Sin embargo, el atacante no puede reducir significativamente el rendimiento del sistema ni detenerlo"}], "id": "CVE-2021-40501", "lastModified": "2024-11-21T06:24:16.423", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-10T16:15:08.517", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/3099776"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/3099776"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}