Critical Vulnerabilities in SAP Products

Published on 15 Apr 2021

Updated on 15 Apr 2021

SAP has released security patches to address multiple vulnerabilities in their Business Client, Commerce, and NetWeaver products.

A few of the vulnerabilities have been classified as critical in severity and require the immediate attention of the administrator of the affected SAP products. They are listed in the table below.

CRITICAL VULNERABILITIES
CVE Number CVE Name Base Score
- Security updates for the browser control Google Chromium delivered with SAP Business Client 10
CVE-2021-27602 Remote Code Execution vulnerability in Source Rules of SAP Commerce 9.9
CVE-2021-21481 Missing Authorisation Check in SAP NetWeaver AS for JAVA (Migration Service) 9.6
CVE-2021-21482 Information disclosure in SAP NetWeaver Master Data Management 8.3
CVE-2021-21483 Information disclosure in SAP Solution Manager 8.2
CVE-2020-26832 Missing authorisation check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation) 7.6
CVE-2021-27608 Unquoted search path in SAPSetup 7.5
CVE-2021-21485 Information disclosure in SAP NetWeaver AS for Java (Telnet Commands) 7.4

For the full list of security patches released by SAP, please refer to https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649