CVE-2021-21477
CRITICALSAP Commerce Cloud 1808,1811,1905,2005,2011 - Authenticated Remote Code Execution via Drools Rule Injection
Title source: llmDescription
SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host enabling him to impair confidentiality, integrity and availability of the application.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=568460543
Permissions Required x_refsource_misc
https://launchpad.support.sap.com/#/notes/3014121
Scores
CVSS v3
9.9
EPSS
0.0099
EPSS Percentile
77.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (5)
sap/commerce
1808
sap/commerce
1811
sap/commerce
1905
sap/commerce
2005
sap/commerce
2011
Published
Feb 09, 2021
Tracked Since
Feb 18, 2026