CVE-2021-21473 – SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization
https://notcve.org/view.php?id=CVE-2021-21473
SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform. SAP NetWeaver AS ABAP y ABAP Platform, versiones - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contiene el módulo de función SRM_RFC_SUBMIT_REPORT que no comprueba la autorización de un usuario autenticado por lo tanto permitir a un usuario no autorizado ejecutar reportes en la plataforma SAP NetWeaver ABAP The SAP application server ABAP and ABAP Platform are susceptible to code injection, SQL injection, and missing authorization vulnerabilities. Multiple SAP products are affected. • http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html http://seclists.org/fulldisclosure/2022/May/42 https://launchpad.support.sap.com/#/notes/3002517 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 • CWE-862: Missing Authorization •
CVE-2021-21490
https://notcve.org/view.php?id=CVE-2021-21490
SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user. SAP NetWeaver AS para ABAP (Web Survey), versiones: 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, no codifica suficientemente los parámetros input y output, lo que resulta en una vulnerabilidad de tipo cross site scripting reflejado, mediante el cual un usuario malicioso puede acceder a los datos relacionados con la sesión actual y usarlos para hacerse pasar por un usuario y acceder a toda la información con los mismos derechos que el usuario objetivo • https://launchpad.support.sap.com/#/notes/3004043 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-27611
https://notcve.org/view.php?id=CVE-2021-27611
SAP NetWeaver AS ABAP, versions - 700, 701, 702, 730, 731, allow a high privileged attacker to inject malicious code by executing an ABAP report when the attacker has access to the local SAP system. The attacker could then get access to data, overwrite them, or execute a denial of service. SAP NetWeaver AS ABAP, versiones - 700, 701, 702, 730, 731, permiten a un atacante muy privilegiado inyectar código malicioso al ejecutar un reporte ABAP cuando el atacante tiene acceso al sistema SAP local. El atacante puede entonces conseguir acceso a los datos, sobrescribirlos o ejecutar una denegación de servicio • https://launchpad.support.sap.com/#/notes/3046610 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2021-27603
https://notcve.org/view.php?id=CVE-2021-27603
An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. An attacker could call this function module multiple times to block all work processes thereby causing Denial of Service and affecting the Availability of the SAP system. Un módulo de función SPI_WAIT_MILLIS habilitado para RFC en SAP NetWeaver AS ABAP, versiones - 731, 740, 750, permite mantener un proceso de trabajo ocupado durante cualquier período de tiempo. Un atacante podría llamar a este módulo de funciones varias veces para bloquear todos los procesos de trabajo, conllevando a una Denegación de Servicio y afectaría la Disponibilidad del sistema SAP • https://launchpad.support.sap.com/#/notes/3028729 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649 •
CVE-2020-26832 – SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization
https://notcve.org/view.php?id=CVE-2020-26832
SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable. SAP AS ABAP (SAP Landscape Transformation), versiones - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 y SAP S4 HANA (SAP Landscape Transformation), versiones - 101, 102, 103, 104, 105, permite a un usuario muy privilegiado ejecutar un módulo de función RFC al que debe estar restringido el acceso; sin embargo, debido a una falta de autorización, un atacante puede obtener acceso a información interna confidencial del sistema SAP vulnerable o hacer a sistemas SAP vulnerables no disponibles completamente The SAP application server ABAP and ABAP Platform are susceptible to code injection, SQL injection, and missing authorization vulnerabilities. Multiple SAP products are affected. • http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html http://seclists.org/fulldisclosure/2022/May/42 https://launchpad.support.sap.com/#/notes/2993132 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 • CWE-862: Missing Authorization •