CVE-2021-21474
Summary
| CVE | CVE-2021-21474 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-02-09 21:15:00 UTC |
| Updated | 2022-07-12 17:42:00 UTC |
| Description | SAP HANA Database, versions - 1.0, 2.0, accepts SAML tokens with MD5 digest, an attacker who manages to obtain an MD5-digest signed SAML Assertion issued for an SAP HANA instance might be able to tamper with it and alter it in a way that the digest continues to be the same and without invalidating the digital signature, this allows them to impersonate as user in HANA database and be able to read the contents in the database. |
Risk And Classification
Problem Types: CWE-326
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Sap | Hana Database | 1.00 | All | All | All |
| Application | Sap | Hana Database | 2.00 | All | All | All |
| Application | Sap | Hana Database | 1.00 | All | All | All |
| Application | Sap | Hana Database | 2.00 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| launchpad.support.sap.com | MISC | launchpad.support.sap.com | Permissions Required |
| SAP Security Patch Day – February 2021 - Product Security Response at SAP - Community Wiki | MISC | wiki.scn.sap.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.