CVE-2021-33701: SQL Injection
First published: Wed Sep 15 2021(Updated: )
DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability.
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Sap Dmis | =710 | |
| Sap Dmis | =2011_1_620 | |
| Sap Dmis | =2011_1_640 | |
| Sap Dmis | =2011_1_700 | |
| Sap Dmis | =2011_1_710 | |
| Sap Dmis | =2011_1_730 | |
| Sap Dmis | =2011_1_731 | |
| Sap Dmis | =2011_1_752 | |
| Sap Dmis | =2020125 | |
| Sap S4core | =102 | |
| Sap S4core | =103 | |
| Sap S4core | =104 | |
| Sap S4core | =105 | |
| Sap Sapscore | =125 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html
- http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html
- http://seclists.org/fulldisclosure/2021/Dec/35
- http://seclists.org/fulldisclosure/2021/Dec/36
- https://launchpad.support.sap.com/#/notes/3078312
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806
Frequently Asked Questions
What is CVE-2021-33701?
CVE-2021-33701 is a critical vulnerability in DMIS Mobile Plug-In or SAP S/4HANA versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, that allows an attacker with access to a highly privileged account to execute manipulated queries in the NDZT tool.
What is the severity of CVE-2021-33701?
CVE-2021-33701 has a severity rating of 9.1 (critical).
Which software versions are affected by CVE-2021-33701?
CVE-2021-33701 affects DMIS Mobile Plug-In and SAP S/4HANA versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105.
How does CVE-2021-33701 exploit work?
CVE-2021-33701 allows an attacker with access to a highly privileged account to execute manipulated queries in the NDZT tool.
Are there any references for CVE-2021-33701?
Yes, you can find more information about CVE-2021-33701 at the following references: [Reference 1](http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html), [Reference 2](http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html), [Reference 3](http://seclists.org/fulldisclosure/2021/Dec/35).
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/author
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- vendor/sap
- canonical/sap dmis
- version/sap dmis/710
- version/sap dmis/2011_1_620
- version/sap dmis/2011_1_640
- version/sap dmis/2011_1_700
- version/sap dmis/2011_1_710
- version/sap dmis/2011_1_730
- version/sap dmis/2011_1_731
- version/sap dmis/2011_1_752
- version/sap dmis/2020125
- canonical/sap s4core
- version/sap s4core/102
- version/sap s4core/103
- version/sap s4core/104
- version/sap s4core/105
- canonical/sap sapscore
- version/sap sapscore/125