SB2021081002 - Multiple vulnerabilities in SAP Business One

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Missing Authorization (CVE-ID: CVE-2021-33704)

The vulnerability allows a remote user to bypass authorization process.

The vulnerability exists due to missing authorization checks in Service Layer component in SAP Business One. A remote user can gain unauthorized access to otherwise restricted functionality.

2) Missing Authentication for Critical Function (CVE-ID: CVE-2021-33700)

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to missing authentication for critical function. A remote user can bypass authentication process and compromise the affected system.

3) Arbitrary file upload (CVE-ID: CVE-2021-33698)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload in SAP Business One. A remote authenticated user can upload a malicious file and execute it on the server.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Remediation

Install update from vendor's website.

References

• https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806
• https://launchpad.support.sap.com/#/notes/3078072
• https://launchpad.support.sap.com/#/notes/3073325
• https://launchpad.support.sap.com/#/notes/3071984