Information security specialists report the detection of three severe vulnerabilities in various products of the technological firm SAP. According to the report, the successful exploitation of these flaws would allow the deployment of various attack scenarios.
Below are brief reports of the reported flaws, in addition to their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-40501: The absence of authorization checks within the SAP ABAP Platform kernel would allow unauthenticated remote threat actors to send a specially crafted request to the target application and execute arbitrary code.
This flaw received a CVSS score of 8.6/10 and its successful exploitation could put the entire affected system at risk. The vulnerability resides in the following versions of SAP ABAP Platform: 7.77, 7.81, 7.85 and 7.86.
CVE-2021-40503: Excessive data output from SAP GUI for Windows would allow remote users to gain unauthorized access to sensitive information stored on the underlying system.
This is a low severity flaw and received a CVSS score of 3.1/10. The vulnerability resides in all versions of SAP GUI prior to v7.60 PL13 and v7.70 PL4.
CVE-2021-40504: This flaw exists because SAP NetWeaver AS ABAP does not impose proper security restrictions, so a remote user with high privileges could reach sections of the system that would otherwise be restricted.
The vulnerability received a CVSS score of 2.4/10 and resides in the following versions of SAP NetWeaver AS ABAP: 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755 and 756.
While these three flaws can be exploited by unauthenticated remote threat actors, so far no exploitation attempts have been detected in real scenarios or the existence of an exploit linked to this attack. However, information security experts recommend updating the affected deployments as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.