Critical vulnerabilities in SAP products – update immediately

17. August 2021

The National Cyber Security Centre SK-CERT warns of critical vulnerabilities in SAP products.

SAP is one of the largest software manufacturers in the world. Its products focus mainly on customer relationship management, supply chain management, human resources, expenditure management and other areas. Software solutions from SAP are used worldwide not only in the private but also in the public sector.

On 10 August 2021 SAP released a package of updates within SAP Security Patch Day. This package fixes a total of 18 vulnerabilities in various SAP products, two with CVSS 9.9 and one with CVSS 9.1.

The vulnerability, tracked as CVE-2021-33698 (CVSS 9.9), allows an attacker in SAP Business One product to upload unlimitedly any files to the server, including a malicious code.

SAP NetWeaver Development Infrastructure product contains a vulnerability SSRF (Server-side request forgery), tracked as CVE-2021-33690 (CVSS 9.9); and DMIS Mobile Plug-In product contains SQL injection vulnerability, tracked as CVE-2021-33701 (CVSS 9.1). These vulnerabilities allow the remote attacker to modify the content of the database or data exfiltration.

For a complete list of vulnerabilities and affected products visit the official site of SAP Security Patch Day from August 2021.

The National Cyber Security Centre SK-CERT recommends that all administrators of SAP products and systems allow updates of all affected products and systems to the latest version without delay.

« Späť na zoznam

Critical vulnerabilities in SAP products – update immediately

SK-CERT Bezpečnostné varovanie V20240418-04

SK-CERT Bezpečnostné varovanie V20240418-03

SK-CERT Bezpečnostné varovanie V20240418-03