CVE-2021-38176
Published on: 09/14/2021 12:00:00 AM UTC
Last Modified on: 07/12/2022 05:42:00 PM UTC
Certain versions of Landscape Transformation from Sap contain the following vulnerability:
Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.
- CVE-2021-38176 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity.
CVSS3 Score: 8.8 - HIGH
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | LOW | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | HIGH | HIGH | HIGH |
CVSS2 Score: 9 - HIGH
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | SINGLE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
COMPLETE | COMPLETE | COMPLETE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
SAP Security Patch Day – September 2021 - Product Security Response at SAP - Community Wiki | wiki.scn.sap.com text/html |
![]() |
No Description Provided | launchpad.support.sap.com text/html |
![]() |
There are currently no QIDs associated with this CVE
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Sap | Landscape Transformation | 2.0 | All | All | All |
Application | Sap | Landscape Transformation Replication Server | 1.0 | All | All | All |
Application | Sap | Landscape Transformation Replication Server | 2.0 | All | All | All |
Application | Sap | Landscape Transformation Replication Server | 3.0 | All | All | All |
Application | Sap | S/4hana | 1511 | All | All | All |
Application | Sap | S/4hana | 1610 | All | All | All |
Application | Sap | S/4hana | 1709 | All | All | All |
Application | Sap | S/4hana | 1809 | All | All | All |
Application | Sap | S/4hana | 1909 | All | All | All |
Application | Sap | S/4hana | 2020 | All | All | All |
Application | Sap | S/4hana | 2021 | All | All | All |
Application | Sap | Test Data Migration Server | 4.0 | All | All | All |
- cpe:2.3:a:sap:landscape_transformation:2.0:*:*:*:*:*:*:*:
- cpe:2.3:a:sap:landscape_transformation_replication_server:1.0:*:*:*:*:s\/4hana:*:*:
- cpe:2.3:a:sap:landscape_transformation_replication_server:2.0:*:*:*:*:*:*:*:
- cpe:2.3:a:sap:landscape_transformation_replication_server:3.0:*:*:*:*:*:*:*:
- cpe:2.3:a:sap:s\/4hana:1511:*:*:*:*:*:*:*:
- cpe:2.3:a:sap:s\/4hana:1610:*:*:*:*:*:*:*:
- cpe:2.3:a:sap:s\/4hana:1709:*:*:*:*:*:*:*:
- cpe:2.3:a:sap:s\/4hana:1809:*:*:*:*:*:*:*:
- cpe:2.3:a:sap:s\/4hana:1909:*:*:*:*:*:*:*:
- cpe:2.3:a:sap:s\/4hana:2020:*:*:*:*:*:*:*:
- cpe:2.3:a:sap:s\/4hana:2021:*:*:*:*:*:*:*:
- cpe:2.3:a:sap:test_data_migration_server:4.0:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
CVE-2021-38176 : Due to improper input sanitization, an authenticated user with certain specific privileges can rem… twitter.com/i/web/status/1… | 2021-09-14 12:12:31 |