Security News > 2021 > January > SAP Patches Serious Code Injection, DoS Vulnerabilities
German software maker SAP has published 10 advisories to document flaws and fixes for a range of serious security vulnerabilities.
Dealing with multiple vulnerabilities in SAP Business Warehouse, the most important of these issues carry a CVSS score of 9.9.
The first of the notes addressed CVE-2021-21465, which SAP describes as multiple issues in Business Warehouse.
These bugs are an SQL Injection and a missing authorization check, Onapsis, a firm that secures Oracle and SAP applications, explains.
The second serious issue addresses CVE-2021-21466, a code injection flaw in both Business Warehouse and BW/4HANA. Caused by insufficient input validation, the flaw could be abused to inject malicious code that gets stored persistently as a report and which could be executed afterwards, potentially affecting the confidentiality, integrity, and availability of systems.
A second warning that SAP released prior to the January 2021 Patch day fixes "An issue in the binding process of the Central Order service to a Cloud Foundry application" that could have allowed "Unauthorized SAP employees to access the binding credentials of the service."
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-01-12 | CVE-2021-21465 | SQL Injection vulnerability in SAP Business Warehouse The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database. | 6.5 |
| 2021-01-12 | CVE-2021-21466 | Code Injection vulnerability in SAP Business Warehouse and Bw/4Hana SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. | 8.8 |