CVE-2021-21477

SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host enabling him to impair confidentiality, integrity and availability of the application.

Published: Feb 9, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-21477
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.9
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9
AV:N/AC:L/Au:S/C:C/I:C/A:C

CWEs:

CWE-94

Affected Software
References

Software	From	Fixed in
sap / commerce	1808	1808.x
sap / commerce	1811	1811.x
sap / commerce	1905	1905.x
sap / commerce	2005	2005.x
sap / commerce	2011	2011.x

https://launchpad.support.sap.com/#/notes/3014121
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=568460543

Vulnerability Database

289,697

CVE-2021-21477