CVE-2021-38176

Summary

Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.

Affected Software

VendorProductVersion RangeStatus
SAP SESAP S/4HANA< 1511affected
SAP SESAP S/4HANA< 1610affected
SAP SESAP S/4HANA< 1709affected
SAP SESAP S/4HANA< 1809affected
SAP SESAP S/4HANA< 1909affected
SAP SESAP S/4HANA< 2020affected
SAP SESAP S/4HANA< 2021affected
SAP SESAP LT Replication Server< 2.0affected
SAP SESAP LT Replication Server< 3.0affected
SAP SESAP LTRS for S/4HANA< 1.0affected
SAP SESAP Test Data Migration Server< 4.0affected
SAP SESAP Landscape Transformation< 2.0affected

Weaknesses

  • Improper Input Sanitization

ADP Enrichment

CVE Program Container

Additional References

References