CVE-2021-38176

HIGH

SAP Landscape Transformation - NZDT ABAP Code Injection

Title source: manual

Description

Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405

Permissions Required x_refsource_misc

https://launchpad.support.sap.com/#/notes/3089831

Scores

CVSS v3 8.8

EPSS 0.0072

EPSS Percentile 72.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (12)

sap/landscape_transformation 2.0

sap/landscape_transformation_replication_server 1.0

sap/landscape_transformation_replication_server 2.0

sap/landscape_transformation_replication_server 3.0

sap/s\/4hana 1511

sap/s\/4hana 1610

sap/s\/4hana 1709

sap/s\/4hana 1809

sap/s\/4hana 1909

sap/s\/4hana 2020

... and 2 more

Published Sep 14, 2021

Tracked Since Feb 18, 2026