CVE-2021-21472
HIGHSAP Software Provisioning Manager 1.0 - Authenticated Security Bypass via Missing Password Configuration
Title source: llmDescription
SAP Software Provisioning Manager 1.0 (SAP NetWeaver Master Data Management Server 7.1) does not have an option to set password during its installation, this allows an authenticated attacker to perform various security attacks like Directory Traversal, Password Brute force Attack, SMB Relay attack, Security Downgrade.
References (2)
Core 2
Core References
Permissions Required x_refsource_misc
https://launchpad.support.sap.com/#/notes/2998173
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=568460543
Scores
CVSS v3
8.8
EPSS
0.0019
EPSS Percentile
40.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-306
Status
published
Products (1)
sap/software_provisioning_manager
1.0
Published
Feb 09, 2021
Tracked Since
Feb 18, 2026