Lucene search

SapCVELIST:CVE-2021-33704

HistorySep 15, 2021 - 6:01 p.m.

CVE-2021-33704

2021-09-1518:01:56

CWE-862

sap

www.cve.org

sap business one

service layer

authenticated attacker

restricted functions

data abuse

cve-2021-33704

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

8.7

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. For an attacker to discover the vulnerable function, no in-depth system knowledge is required. Once exploited via Network stack, the attacker may be able to read, modify or delete restricted data. The impact is that missing authorization can result of abuse of functionality usually restricted to specific users.

CNA Affected

[
  {
    "product": "SAP Business One",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "< 10.0"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/3078072

wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806