CVE-2021-33676 - OpenCVE

A missing authority check in SAP CRM, versions - 700, 701, 702, 712, 713, 714, could be leveraged by an attacker with high privileges to compromise confidentiality, integrity, or availability of the system.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Sap	Customer Relationship Management

Configuration 1 [-]

OR	cpe:2.3:a:sap:customer_relationship_management:700:::::::*
	cpe:2.3:a:sap:customer_relationship_management:701:::::::*
	cpe:2.3:a:sap:customer_relationship_management:702:::::::*
	cpe:2.3:a:sap:customer_relationship_management:712:::::::*
	cpe:2.3:a:sap:customer_relationship_management:713:::::::*
	cpe:2.3:a:sap:customer_relationship_management:714:::::::*

References

Link	Resource
https://launchpad.support.sap.com/#/notes/3066316	Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: sap

Published: 2021-07-14T11:03:48

Updated: 2021-07-14T11:03:48

Reserved: 2021-05-28T00:00:00

Link: CVE-2021-33676

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-07-14T12:15:08.307

Modified: 2021-07-16T16:19:18.970

Link: CVE-2021-33676

JSON object: View

Redhat Information

No data.

CWE

CWE-862

{"containers": {"cna": {"affected": [{"product": "SAP CRM", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 700"}, {"status": "affected", "version": "< 701"}, {"status": "affected", "version": "< 702"}, {"status": "affected", "version": "< 712"}, {"status": "affected", "version": "< 713"}, {"status": "affected", "version": "< 714"}]}], "descriptions": [{"lang": "en", "value": "A missing authority check in SAP CRM, versions - 700, 701, 702, 712, 713, 714, could be leveraged by an attacker with high privileges to compromise confidentiality, integrity, or availability of the system."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Missing Authority Check", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-14T11:03:48", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/3066316"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2021-33676", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP CRM", "version": {"version_data": [{"version_name": "<", "version_value": "700"}, {"version_name": "<", "version_value": "701"}, {"version_name": "<", "version_value": "702"}, {"version_name": "<", "version_value": "712"}, {"version_name": "<", "version_value": "713"}, {"version_name": "<", "version_value": "714"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A missing authority check in SAP CRM, versions - 700, 701, 702, 712, 713, 714, could be leveraged by an attacker with high privileges to compromise confidentiality, integrity, or availability of the system."}]}, "impact": {"cvss": {"baseScore": "6.8", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Missing Authority Check"}]}]}, "references": {"reference_data": [{"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", "refsource": "MISC", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"}, {"name": "https://launchpad.support.sap.com/#/notes/3066316", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/3066316"}]}}}}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2021-33676", "datePublished": "2021-07-14T11:03:48", "dateReserved": "2021-05-28T00:00:00", "dateUpdated": "2021-07-14T11:03:48", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:customer_relationship_management:700:*:*:*:*:*:*:*", "matchCriteriaId": "082053C1-23F5-43E1-B2FD-5ECDE3EFC101", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management:701:*:*:*:*:*:*:*", "matchCriteriaId": "1827CD2E-82B5-4D80-B606-ECEA9977905E", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management:702:*:*:*:*:*:*:*", "matchCriteriaId": "33C39D15-9A98-4051-A086-A08EB3E3776D", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management:712:*:*:*:*:*:*:*", "matchCriteriaId": "1E6F69C1-E6CD-4B48-BE75-66BC355EA643", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management:713:*:*:*:*:*:*:*", "matchCriteriaId": "69E8FBB3-92C7-4B2A-8A4E-E30EB6B64F7C", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management:714:*:*:*:*:*:*:*", "matchCriteriaId": "93135E4D-F522-4A0C-9580-DBF6FC51931A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A missing authority check in SAP CRM, versions - 700, 701, 702, 712, 713, 714, could be leveraged by an attacker with high privileges to compromise confidentiality, integrity, or availability of the system."}, {"lang": "es", "value": "Una falta de comprobaci\u00f3n de autoridad en SAP CRM, versiones - 700, 701, 702, 712, 713, 714, podr\u00eda ser aprovechada por un atacante con altos privilegios para comprometer la confidencialidad, integridad o disponibilidad del sistema"}], "id": "CVE-2021-33676", "lastModified": "2021-07-16T16:19:18.970", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "cna@sap.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-07-14T12:15:08.307", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/3066316"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}