Rewterz Threat Advisory – Adobe Bridge code execution
April 14, 2021Rewterz Threat Advisory – CVE-2021-1391 – Cisco IOS and IOS XE Software Privilege Escalation Vulnerability
April 14, 2021Rewterz Threat Advisory – Adobe Bridge code execution
April 14, 2021Rewterz Threat Advisory – CVE-2021-1391 – Cisco IOS and IOS XE Software Privilege Escalation Vulnerability
April 14, 2021Severity
Medium
Analysis Summary
CVE-2021-27603
SAP NetWeaver AS of ABAP is vulnerable to a DoS (denial of service) which is caused by no restriction in calling the RFC enabled function module SPI_WAIT_MILLIS. A remote attacker can initiate a DoS attack by calling the function multiple times and block all the work processes. The exploitation of this vulnerability can lead to a denial-of-service condition.
CVE-2021-27601
SAP NetWeaver AS Java is found to be vulnerable to cross-site scripting. This vulnerability can be caused by improper validation of user-supplied input. The exploitation of the vulnerability requires a remote authenticated attacker that injects malicious scripts into web pages. These are executed in a victim’s web browser once the page is viewed within the security context of the hosting website. The cookie-based authentication credentials of the victims can be stolen as a result of this vulnerability.
CVE-2021-21482
SAP NetWeaver Master Data Management could be used to obtain sensitive information caused by improper authentication validation. An attacker can exploit this technique by utilizing brute force attacks to obtain sensitive data and launch further attacks against the affected system.
Impact
- Information disclosure
- Denial of service
- Cross-site scripting
Affected Vendors
SAP
Affected Products
- SAP NetWeaver AS for ABAP 731
- SAP NetWeaver AS for ABAP 740
- SAP NetWeaver AS for ABAP 750
- SAP NetWeaver AS Java
- SAP NetWeaver Master Data Management 7.10.750
- SAP NetWeaver Master Data Management 710
Remediation
Current SAP users can access their SAP account to access information on the available patches at https://accounts.sap.com/saml2/idp/sso