CVE-2021-38176: SQL Injection
First published: Tue Sep 14 2021(Updated: )
Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Sap Landscape Transformation | =2.0 | |
| Sap Landscape Transformation Replication Server | =1.0 | |
| Sap Landscape Transformation Replication Server | =2.0 | |
| Sap Landscape Transformation Replication Server | =3.0 | |
| Sap S\/4hana | =1511 | |
| Sap S\/4hana | =1610 | |
| Sap S\/4hana | =1709 | |
| Sap S\/4hana | =1809 | |
| Sap S\/4hana | =1909 | |
| Sap S\/4hana | =2020 | |
| Sap S\/4hana | =2021 | |
| Sap Test Data Migration Server | =4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-38176?
CVE-2021-38176 has been identified as a high severity vulnerability due to the potential for remote code execution.
How can I fix CVE-2021-38176?
To fix CVE-2021-38176, update the affected SAP software to the latest version as provided in the vendor's security notes.
What versions of SAP software are affected by CVE-2021-38176?
CVE-2021-38176 affects multiple versions of SAP Landscape Transformation, SAP S/4HANA, and SAP Test Data Migration Server.
What impact does CVE-2021-38176 have on system security?
The exploitation of CVE-2021-38176 can allow an authenticated user to execute unauthorized queries or inject code, potentially compromising database security.
Who can exploit CVE-2021-38176?
CVE-2021-38176 can be exploited by an authenticated user with specific privileges within the affected SAP systems.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/tags
- agent/event
- agent/description
- agent/first-publish-date
- agent/source
- vendor/sap
- canonical/sap landscape transformation
- version/sap landscape transformation/2.0
- canonical/sap landscape transformation replication server
- version/sap landscape transformation replication server/1.0
- version/sap landscape transformation replication server/2.0
- version/sap landscape transformation replication server/3.0
- canonical/sap s\/4hana
- version/sap s\/4hana/1511
- version/sap s\/4hana/1610
- version/sap s\/4hana/1709
- version/sap s\/4hana/1809
- version/sap s\/4hana/1909
- version/sap s\/4hana/2020
- version/sap s\/4hana/2021
- canonical/sap test data migration server
- version/sap test data migration server/4.0