Remote Code Execution in SAP Commerce Backoffice Application
CVE-2021-27602

9.9CRITICAL

Key Information:

Vendor: SAP
Status: SAP Commerce
Vendor: CVE Published:; 13 April 2021

Summary

The SAP Commerce Backoffice application has a vulnerability that allows users with certain authorizations to create source rules. These rules are translated into Drools rules when published, enabling an attacker with the right permissions to inject malicious code. This can lead to remote code execution, potentially compromising the application by affecting its confidentiality, integrity, and availability.

Affected Version(s)

SAP Commerce < 1808 < 1808

SAP Commerce < 1811 < 1811

SAP Commerce < 1905 < 1905

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_MISC

https://launchpad.support.sap.com/#/notes/3040210

x_refsource_MISC

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Apr 13, 2021
Vulnerability Reserved
Feb 23, 2021