Security News > 2021 > January > SAP Patches Serious Code Injection, DoS Vulnerabilities

SAP Patches Serious Code Injection, DoS Vulnerabilities
2021-01-12 19:49

German software maker SAP has published 10 advisories to document flaws and fixes for a range of serious security vulnerabilities.

Dealing with multiple vulnerabilities in SAP Business Warehouse, the most important of these issues carry a CVSS score of 9.9.

The first of the notes addressed CVE-2021-21465, which SAP describes as multiple issues in Business Warehouse.

These bugs are an SQL Injection and a missing authorization check, Onapsis, a firm that secures Oracle and SAP applications, explains.

The second serious issue addresses CVE-2021-21466, a code injection flaw in both Business Warehouse and BW/4HANA. Caused by insufficient input validation, the flaw could be abused to inject malicious code that gets stored persistently as a report and which could be executed afterwards, potentially affecting the confidentiality, integrity, and availability of systems.

A second warning that SAP released prior to the January 2021 Patch day fixes "An issue in the binding process of the Central Order service to a Cloud Foundry application" that could have allowed "Unauthorized SAP employees to access the binding credentials of the service."


News URL

http://feedproxy.google.com/~r/Securityweek/~3/I1Rx9Wefi9E/sap-patches-serious-code-injection-dos-vulnerabilities

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-01-12 CVE-2021-21465 SQL Injection vulnerability in SAP Business Warehouse
The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database.
network
low complexity
sap CWE-89
6.5
2021-01-12 CVE-2021-21466 Code Injection vulnerability in SAP Business Warehouse and Bw/4Hana
SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network.
network
low complexity
sap CWE-94
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
SAP 401 112 969 240 97 1418