Vulnerabilities > SAP > Critical

DATE CVE VULNERABILITY TITLE RISK
2021-09-14 CVE-2021-37535 Missing Authorization vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges.
network
low complexity
sap CWE-862
critical
9.8
2021-09-14 CVE-2021-38162 HTTP Request Smuggling vulnerability in SAP web Dispatcher
SAP Web Dispatcher versions - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 processes allow an unauthenticated attacker to submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages.
network
low complexity
sap CWE-444
critical
9.4
2021-08-09 CVE-2014-9320 Improper Authentication vulnerability in SAP Businessobjects Edge 4.1
SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and consequently gain SYSTEM privileges via vectors involving CORBA calls, aka SAP Note 2039905.
network
low complexity
sap CWE-287
critical
9.8
2021-06-16 CVE-2021-27610 Improper Authentication vulnerability in SAP Netweaver Abap and Netweaver Application Server Abap
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system.
network
low complexity
sap CWE-287
critical
9.8
2021-04-13 CVE-2021-27602 Code Injection vulnerability in SAP Commerce
SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application.
network
low complexity
sap CWE-94
critical
9.9
2021-03-09 CVE-2021-21484 Incorrect Authorization vulnerability in SAP Hana 2.0
LDAP authentication in SAP HANA Database version 2.0 can be bypassed if the attached LDAP directory server is configured to enable unauthenticated bind.
network
low complexity
sap CWE-863
critical
9.8
2021-02-09 CVE-2021-21479 Injection vulnerability in SAP Scimono
In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system.
network
low complexity
sap CWE-74
critical
9.1
2021-02-09 CVE-2021-21477 Code Injection vulnerability in SAP Commerce
SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host enabling him to impair confidentiality, integrity and availability of the application.
network
low complexity
sap CWE-94
critical
9.9
2021-01-12 CVE-2021-21465 SQL Injection vulnerability in SAP Business Warehouse
The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database.
network
low complexity
sap CWE-89
critical
9.9
2020-12-09 CVE-2020-26838 OS Command Injection vulnerability in SAP Business Warehouse and Bw/4Hana
SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction.
network
low complexity
sap CWE-78
critical
9.1