Information security specialists reported the finding of at least three security flaws in various complementary SAP products, the popular enterprise management solution. According to the report, exploiting these vulnerabilities would allow arbitrary code execution on compromised systems.

Below are brief descriptions of reported flaws, in addition to their respective tracking keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-21477: A non-specified security flaw in SAP Commerce would allow a remote authenticated user to send a specially designed request to the application and execute arbitrary code on the target system.

According to the information security experts, the vulnerability received a CVSS score of 7.7/10 and its exploitation would allow full compromise of the affected system. The flaw lies in the following versions of SAP Commerce:

  • 1808, 1811, 1905, 2005, 2011

CVE-2021-21475: An input validation error when processing directory journey sequences in SAP NetWeaver Master Data Management would allow remote threat actors to send SPECIALly designed HTTP requests to access arbitrary files on the affected system.

This flaw received a score of 5.1/10 and resides in the following versions of SAP NetWeaver Master Data Management Server:

  • 710, 710.750

CVE-2021-21472: Default weak password requirements that do not require setting a server password during SAP NetWeaver Master Data Management installation allow remote users to gain unauthorized access to the vulnerable system.

This is an average severity flaw that received a score of 4.7/10 on the CVSS scale and resides in the following versions of SAP NetWeaver Master Data Management Server:

  • 710, 710.750

While these flaws can be exploited by remote users by sending specially designed requests, computer security experts have not reported detecting active exploit attempts or the existence of malware variants associated with the attack.

Security patches are now available, so SAP recommends that affected facility administrators update as soon as possible to prevent any attempted exploitation. To learn more about computer security risks, malware, vulnerabilities and information technologies, feel free to access the International Cyber Security Institute (IICS) website.