SB2021091415 - Multiple vulnerabilities in SAP Business One

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2021-37532)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to enabled directory listing. A remote user can gain unauthorized access to sensitive information on the system.

2) SQL injection (CVE-ID: CVE-2021-33688)

The vulnerability allows a remote user to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

3) Information disclosure (CVE-ID: CVE-2021-33686)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information on the system.

4) Path traversal (CVE-ID: CVE-2021-33685)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user  can send a specially crafted HTTP request and read arbitrary files on the system.

Remediation

Install update from vendor's website.

References

• https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405
• https://launchpad.support.sap.com/#/notes/3075546
• https://launchpad.support.sap.com/#/notes/3069882
• https://launchpad.support.sap.com/#/notes/3070138
• https://launchpad.support.sap.com/#/notes/3069032