CVE-2021-33704 — HIGH (8.8)

Vulnerability Description

The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. For an attacker to discover the vulnerable function, no in-depth system knowledge is required. Once exploited via Network stack, the attacker may be able to read, modify or delete restricted data. The impact is that missing authorization can result of abuse of functionality usually restricted to specific users.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Sap	Business One	10.0

Related Weaknesses (CWE)

CWE-862

References

https://launchpad.support.sap.com/#/notes/3078072Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806PatchVendor Advisory
https://launchpad.support.sap.com/#/notes/3078072Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806PatchVendor Advisory

FAQ

What is CVE-2021-33704?

CVE-2021-33704 is a vulnerability with a CVSS score of 8.8 (HIGH). The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. For an attacker to discover th...

How severe is CVE-2021-33704?

CVE-2021-33704 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-33704?

Check the references section above for vendor advisories and patch information. Affected products include: Sap Business One.