8.8

CVE-2021-40502

EPSS 0.35%
Veröffentlicht 10.11.2021 16:15:08
Zuletzt bearbeitet 21.11.2024 06:24:16
Quelle cna@sap.com
CVE-Watchlists
Login
Unerledigt
Login

SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

SAP ≫ Commerce Version1905.34

SAP ≫ Commerce Version2005.18

SAP ≫ Commerce Version2011.13

SAP ≫ Commerce Version2105.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.35%	0.547

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864

Vendor Advisory

https://launchpad.support.sap.com/#/notes/3110328

Vendor Advisory

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2021-40502

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-40502

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-40502

EUVD