CVE-2021-40499 - OpenCVE

Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Sap	Netweaver Application Server Abap

Configuration 1 [-]

OR	cpe:2.3:a:sap:netweaver_application_server_abap:7.70:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:7.70_pi:::::::*
	cpe:2.3:a:sap:netweaver_application_server_abap:7.70byd:::::::*

References

Link	Resource
https://launchpad.support.sap.com/#/notes/3100882	Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: sap

Published: 2021-10-12T14:04:00

Updated: 2021-10-12T14:04:00

Reserved: 2021-09-03T00:00:00

Link: CVE-2021-40499

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-10-12T15:15:09.637

Modified: 2021-10-18T18:37:04.680

Link: CVE-2021-40499

JSON object: View

Redhat Information

No data.

CWE

CWE-94

{"containers": {"cna": {"affected": [{"product": "SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint)", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 7.70"}, {"status": "affected", "version": "< 7.70 PI"}, {"status": "affected", "version": "< 7.70BYD"}]}], "descriptions": [{"lang": "en", "value": "Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application."}], "problemTypes": [{"descriptions": [{"description": "Code Injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-12T14:04:00", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/3100882"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2021-40499", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint)", "version": {"version_data": [{"version_name": "<", "version_value": "7.70"}, {"version_name": "<", "version_value": "7.70 PI"}, {"version_name": "<", "version_value": "7.70BYD"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application."}]}, "impact": {"cvss": {"baseScore": "null", "vectorString": "null", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Code Injection"}]}]}, "references": {"reference_data": [{"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", "refsource": "MISC", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983"}, {"name": "https://launchpad.support.sap.com/#/notes/3100882", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/3100882"}]}}}}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2021-40499", "datePublished": "2021-10-12T14:04:00", "dateReserved": "2021-09-03T00:00:00", "dateUpdated": "2021-10-12T14:04:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:7.70:*:*:*:*:*:*:*", "matchCriteriaId": "1506470D-41D9-44F8-AA3A-FA4971640FA8", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:7.70_pi:*:*:*:*:*:*:*", "matchCriteriaId": "981B6677-8B4E-4683-B68D-446A58185298", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:7.70byd:*:*:*:*:*:*:*", "matchCriteriaId": "EAC4702C-896D-401E-AFF0-F96FFC94EBEC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application."}, {"lang": "es", "value": "Los servicios de impresi\u00f3n del lado del cliente SAP Cloud Print Manager y SAPSprint para SAP NetWeaver Application Server for ABAP - versiones 7.70, 7.70 PI, 7.70 BYD, permiten a un atacante inyectar c\u00f3digo que puede ser ejecutado por la aplicaci\u00f3n. Un atacante podr\u00eda as\u00ed controlar el comportamiento de la aplicaci\u00f3n"}], "id": "CVE-2021-40499", "lastModified": "2021-10-18T18:37:04.680", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-12T15:15:09.637", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/3100882"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}