CVE-2021-21472

EPSS 0.19%
Published 09.02.2021 21:15:13
Last modified 21.11.2024 05:48:26
Source cna@sap.com
Teams watchlist Login
Open Login

SAP Software Provisioning Manager 1.0 (SAP NetWeaver Master Data Management Server 7.1) does not have an option to set password during its installation, this allows an authenticated attacker to perform various security attacks like Directory Traversal, Password Brute force Attack, SMB Relay attack, Security Downgrade.

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

SAP ≫ Software Provisioning Manager Version1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.19%	0.38

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P
cna@sap.com	6.3	2.8	3.4	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=568460543

Vendor Advisory

https://launchpad.support.sap.com/#/notes/2998173

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2021-21472

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-21472

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-21472

EUVD