Remote Code Execution in SAP MII due to Malicious JSP Code Injection
CVE-2021-21480

9.9CRITICAL

Key Information:

Vendor
SAP
Status
SAP Manufacturing Integration And Intelligence
Vendor
CVE Published:
9 March 2021

Summary

SAP MII facilitates the creation and saving of dashboards as JSP through the Self Service Composition Environment (SSCE). A security flaw allows an attacker to intercept server requests, injecting malicious JSP code. When a user with the SAP_XMII Developer role opens a compromised dashboard, this code executes, enabling remote code execution on the server. This could lead to privilege escalation and allows the attacker to execute OS commands that can read, modify, or delete sensitive files on the server. Consequently, the confidentiality, integrity, and availability of the server are severely compromised, posing significant risks to the hosting environment of SAP MII applications.

Affected Version(s)

SAP Manufacturing Integration and Intelligence < 15.1 < 15.1

SAP Manufacturing Integration and Intelligence < 15.2 < 15.2

SAP Manufacturing Integration and Intelligence < 15.3 < 15.3

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...
x_refsource_MISC
https://launchpad.support.sap.com/#/notes/3022622
x_refsource_MISC
http://seclists.org/fulldisclosure/2021/Jun/30
mailing-listx_refsource_FULLDISC

EPSS Score

40% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.