Sign-up

ID

VAR-202110-1586


CVE

CVE-2021-40496


TITLE

SAP Internet Communication framework  Vulnerability in leaking resources to the wrong area in

Trust: 0.8

sources: JVNDB: JVNDB-2021-013646

DESCRIPTION

SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an attacker with logon functionality, to exploit the authentication function by using POST and form field to repeat executions of the initial command by a GET request and exposing sensitive data. This vulnerability is normally exposed over the network and successful exploitation can lead to exposure of data like system details. SAP Internet Communication framework Exists in a vulnerability related to the leakage of resources to the wrong area.Information may be obtained

Trust: 1.71

sources: NVD: CVE-2021-40496 // JVNDB: JVNDB-2021-013646 // VULMON: CVE-2021-40496

AFFECTED PRODUCTS

vendor:sapmodel:netweaver as abapscope:eqversion:731

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:700

Trust: 1.0

vendor:sapmodel:netweaver abapscope:eqversion:755

Trust: 1.0

vendor:sapmodel:netweaver abapscope:eqversion:756

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:753

Trust: 1.0

vendor:sapmodel:netweaver abapscope:eqversion:751

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:750

Trust: 1.0

vendor:sapmodel:netweaver abapscope:eqversion:752

Trust: 1.0

vendor:sapmodel:netweaver abapscope:eqversion:730

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:754

Trust: 1.0

vendor:sapmodel:netweaver abapscope:eqversion:702

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:755

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:740

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:785

Trust: 1.0

vendor:sapmodel:netweaver abapscope:eqversion:701

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:756

Trust: 1.0

vendor:sapmodel:netweaver abapscope:eqversion:700

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:730

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:751

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:752

Trust: 1.0

vendor:sapmodel:netweaver abapscope:eqversion:731

Trust: 1.0

vendor:sapmodel:netweaver abapscope:eqversion:753

Trust: 1.0

vendor:sapmodel:netweaver abapscope:eqversion:750

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:702

Trust: 1.0

vendor:sapmodel:netweaver abapscope:eqversion:754

Trust: 1.0

vendor:sapmodel:netweaver abapscope:eqversion:740

Trust: 1.0

vendor:sapmodel:netweaver abapscope:eqversion:785

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:701

Trust: 1.0

vendor:sapmodel:netweaver as abapscope: - version: -

Trust: 0.8

vendor:sapmodel:netweaver abapscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-013646 // NVD: CVE-2021-40496

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2021-40496
value: MEDIUM

Trust: 1.8

CNNVD: CNNVD-202110-779
value: MEDIUM

Trust: 0.6

VULMON: CVE-2021-40496
value: MEDIUM

Trust: 0.1

NVD: CVE-2021-40496
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.9

NVD: CVE-2021-40496
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: CVE-2021-40496
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2021-40496 // JVNDB: JVNDB-2021-013646 // CNNVD: CNNVD-202110-779 // NVD: CVE-2021-40496

PROBLEMTYPE DATA

problemtype:CWE-668

Trust: 1.0

problemtype:Leakage of resources to the wrong area (CWE-668) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-013646 // NVD: CVE-2021-40496

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-779

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202110-779

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2021-40496

PATCH
title:Top Pageurl:https://www.sap.com/index.html
Trust: 0.8
title:Sap Internet Communication Framework Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=166533
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2021-013646 // 
            
            
            
            CNNVD: CNNVD-202110-779

EXTERNAL IDS
db:NVDid:CVE-2021-40496
Trust: 3.3
db:JVNDBid:JVNDB-2021-013646
Trust: 0.8
db:CNNVDid:CNNVD-202110-779
Trust: 0.6
db:VULMONid:CVE-2021-40496
Trust: 0.1
sources:
            
            
            VULMON: CVE-2021-40496 // 
            
            
            
            JVNDB: JVNDB-2021-013646 // 
            
            
            
            CNNVD: CNNVD-202110-779 // 
            
            
            
            NVD: CVE-2021-40496

REFERENCES
url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=587169983
Trust: 1.7
url:https://launchpad.support.sap.com/#/notes/3087254
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2021-40496
Trust: 1.4
url:https://vigilance.fr/vulnerability/sap-multiple-vulnerabilities-of-october-2021-36632
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/668.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULMON: CVE-2021-40496 // 
            
            
            
            JVNDB: JVNDB-2021-013646 // 
            
            
            
            CNNVD: CNNVD-202110-779 // 
            
            
            
            NVD: CVE-2021-40496

SOURCES
db:VULMONid:CVE-2021-40496
db:JVNDBid:JVNDB-2021-013646
db:CNNVDid:CNNVD-202110-779
db:NVDid:CVE-2021-40496

LAST UPDATE DATE
2022-09-23T00:09:47.530000+00:00

SOURCES UPDATE DATE
db:VULMONid:CVE-2021-40496date:2021-10-19T00:00:00
db:JVNDBid:JVNDB-2021-013646date:2022-09-20T06:11:00
db:CNNVDid:CNNVD-202110-779date:2021-10-20T00:00:00
db:NVDid:CVE-2021-40496date:2021-11-28T23:37:00

SOURCES RELEASE DATE
db:VULMONid:CVE-2021-40496date:2021-10-12T00:00:00
db:JVNDBid:JVNDB-2021-013646date:2022-09-20T00:00:00
db:CNNVDid:CNNVD-202110-779date:2021-10-12T00:00:00
db:NVDid:CVE-2021-40496date:2021-10-12T15:15:00