Multiple vulnerabilities in SAP Business One
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2021-33704 CVE-2021-33700 CVE-2021-33698 |
| CWE-ID | CWE-862 CWE-306 CWE-434 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
SAP Business One Mobile applications / Apps for mobile phones |
| Vendor | SAP |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Missing Authorization
EUVDB-ID: #VU55671
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-33704
CWE-ID:
CWE-862 - Missing Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass authorization process.
The vulnerability exists due to missing authorization checks in Service Layer component in SAP Business One. A remote user can gain unauthorized access to otherwise restricted functionality.
Install updates from vendor's website.
Vulnerable software versionsSAP Business One: 10.0
External linkshttp://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806
http://launchpad.support.sap.com/#/notes/3078072
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Missing Authentication for Critical Function
EUVDB-ID: #VU55670
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-33700
CWE-ID:
CWE-306 - Missing Authentication for Critical Function
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise the affected system.
The vulnerability exists due to missing authentication for critical function. A remote user can bypass authentication process and compromise the affected system.
Install updates from vendor's website.
Vulnerable software versionsSAP Business One: 10.0
External linkshttp://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806
http://launchpad.support.sap.com/#/notes/3073325
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Arbitrary file upload
EUVDB-ID: #VU55669
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-33698
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload in SAP Business One. A remote authenticated user can upload a malicious file and execute it on the server.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.
Install updates from vendor's website.
Vulnerable software versionsSAP Business One: 10.0
External linkshttp://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806
http://launchpad.support.sap.com/#/notes/3071984
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
