CVE-2021-21465 – The SAP Security Note 2986980 addresses vulnerabilities identified in SAP Business Warehouse Database Interface.
Reason and Prerequisite:
-User can read more information than he is authorized for.
-Passing malicious SQL-commands to the module can lead to SQL injection vulnerability.
SQL Injection (CVE-2021-21465)
The BW Database Interface allows an attacker with low privileges to execute any crafted database queries.
This will expose the backend database if attacker includes his own commands leading to SQL injection vulnerability .
CVSS Score: 9.9; CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Missing Authorization check (CVE-2021-21468)
The BW Database Interface does not perform necessary authorization checks for an authenticated user,hence attacker can read out any database table.
CVSS Score: 6.5; CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Disable the corresponding affected SAP function module either by applying correction instruction attached in SAP note or via applying suggested equivalent support pack.
After applying this correction, SAP user will not be able to execute FM hence creating short dump.
CVSS v3.0 Base Vector:
|Attack Vector (AV)||Network (N)|
|Attack Complexity (AC)||Low (L)|
|Privileges Required (PR)||Low (L)|
|User Interaction (UI)||None (N)|
|Scope (S)||Changed (C)|
|Confidentiality Impact (C)||High (H)|
|Integrity Impact (I)||High (H)|
|Availability Impact (A)||High (H)|
CVSS v3.0 Base Score: 9,9 / 10
Note: Always refer latest updated versions of SAP Notes from SAP support portal.