CVE-2021-27602
CRITICALSAP Commerce 1808, 1811, 1905, 2005, 2011 - Authenticated Remote Code Execution via Source Rule Injection
Title source: llmDescription
SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649
Permissions Required x_refsource_misc
https://launchpad.support.sap.com/#/notes/3040210
Scores
CVSS v3
9.9
EPSS
0.0185
EPSS Percentile
83.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (5)
sap/commerce
1808
sap/commerce
1811
sap/commerce
1905
sap/commerce
2005
sap/commerce
2011
Published
Apr 13, 2021
Tracked Since
Feb 18, 2026