Multiple vulnerabilities in SAP Business One



Published: 2021-08-10
Risk High
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2021-33704
CVE-2021-33700
CVE-2021-33698
CWE-ID CWE-862
CWE-306
CWE-434
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
SAP Business One
Mobile applications / Apps for mobile phones

Vendor SAP

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Missing Authorization

EUVDB-ID: #VU55671

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-33704

CWE-ID: CWE-862 - Missing Authorization

Exploit availability: No

Description

The vulnerability allows a remote user to bypass authorization process.

The vulnerability exists due to missing authorization checks in Service Layer component in SAP Business One. A remote user can gain unauthorized access to otherwise restricted functionality.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Business One: 10.0


CPE2.3 External links

http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806
http://launchpad.support.sap.com/#/notes/3078072

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Missing Authentication for Critical Function

EUVDB-ID: #VU55670

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-33700

CWE-ID: CWE-306 - Missing Authentication for Critical Function

Exploit availability: No

Description

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to missing authentication for critical function. A remote user can bypass authentication process and compromise the affected system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Business One: 10.0


CPE2.3 External links

http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806
http://launchpad.support.sap.com/#/notes/3073325

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Arbitrary file upload

EUVDB-ID: #VU55669

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-33698

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

Exploit availability: No

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload in SAP Business One. A remote authenticated user can upload a malicious file and execute it on the server.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Business One: 10.0


CPE2.3 External links

http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806
http://launchpad.support.sap.com/#/notes/3071984

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###