CVE-2021-38176

9.9CRITICAL

Key Information:

Vendor: SAP
Status: SAP S/4hana; SAP Lt Replication Server; SAP Ltrs For S/4hana; SAP Test Data Migration Server
Vendor: CVE Published:; 14 September 2021

Summary

Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.

Affected Version(s)

SAP Landscape Transformation < 2.0

SAP LT Replication Server < 2.0 < 2.0

SAP LT Replication Server < 3.0 < 3.0

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_MISC

https://launchpad.support.sap.com/#/notes/3089831

x_refsource_MISC

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Sep 14, 2021
Vulnerability Reserved
Aug 7, 2021