CVE-2021-38176

Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.

Published: Sep 14, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-38176
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9
AV:N/AC:L/Au:S/C:C/I:C/A:C

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
sap / landscape_transformation_replication_server	1.0	1.0.x
sap / s/4hana	1511	1511.x
sap / s/4hana	1610	1610.x
sap / s/4hana	1709	1709.x
sap / s/4hana	1809	1809.x
sap / s/4hana	1909	1909.x
sap / s/4hana	2020	2020.x
sap / s/4hana	2021	2021.x
sap / landscape_transformation	2.0	2.0.x
sap / test_data_migration_server	4.0	4.0.x
sap / landscape_transformation_replication_server	3.0	3.0.x
sap / landscape_transformation_replication_server	2.0	2.0.x

Vulnerability Database

290,206

CVE-2021-38176