CVE-2021-21469 — HIGH (7.5)

Vulnerability Description

When security guidelines for SAP NetWeaver Master Data Management running on windows have not been thoroughly reviewed, it might be possible for an external operator to try and set custom paths in the MDS server configuration. When no adequate protection has been enforced on any level (e.g., MDS Server password not set, network and OS configuration not properly secured, etc.), a malicious user might define UNC paths which could then be exploited to put the system at risk using a so-called SMB relay attack and obtain highly sensitive data, which leads to Information Disclosure.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Sap	Netweaver Master Data Management	7.10

Related Weaknesses (CWE)

CWE-200

References

https://launchpad.support.sap.com/#/notes/2993032Permissions RequiredVendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476Vendor Advisory
https://launchpad.support.sap.com/#/notes/2993032Permissions RequiredVendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476Vendor Advisory

FAQ

What is CVE-2021-21469?

CVE-2021-21469 is a vulnerability with a CVSS score of 7.5 (HIGH). When security guidelines for SAP NetWeaver Master Data Management running on windows have not been thoroughly reviewed, it might be possible for an external operator to try and set custom paths in the...

How severe is CVE-2021-21469?

CVE-2021-21469 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-21469?

Check the references section above for vendor advisories and patch information. Affected products include: Sap Netweaver Master Data Management.