CVE-2021-21475 — HIGH (7.5)

Vulnerability Description

Under specific circumstances SAP Master Data Management, versions - 710, 710.750, allows an unauthorized attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file APIs. Due to this Directory Traversal vulnerability the attacker could read content of arbitrary files on the remote server and expose sensitive data.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Sap	Netweaver Master Data Management Server	710

Related Weaknesses (CWE)

CWE-22

References

https://launchpad.support.sap.com/#/notes/3000897Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=568460543Vendor Advisory
https://launchpad.support.sap.com/#/notes/3000897Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=568460543Vendor Advisory

FAQ

What is CVE-2021-21475?

CVE-2021-21475 is a vulnerability with a CVSS score of 7.5 (HIGH). Under specific circumstances SAP Master Data Management, versions - 710, 710.750, allows an unauthorized attacker to exploit insufficient validation of path information provided by users, thus charact...

How severe is CVE-2021-21475?

CVE-2021-21475 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-21475?

Check the references section above for vendor advisories and patch information. Affected products include: Sap Netweaver Master Data Management Server.