Patch released for a new critical vulnerability affecting SAP commerce platforms.
SAP Commerce — CVE-2021-21477
SAP Commerce is prone to an arbitrary code execution vulnerability.
A Cloud solutions enable you to ease the buying process for your customers with a seamless experience – from search to sales.
Importantly, A new critical vulnerability reported — remote code execution, allowing threat actors take advantage of SAP application.
However, The vulnerability caused due to improper access control to the drools rules.
In addition, An authenticated remote attacker can exploit this vulnerability by sending a specially-crafted request.
Impacted SAP Commerce platforms:
The flaw affects SAP Commerce versions:
Above all, the severity score considered with 9.9 in CVSS scale.
However, Successful exploitation can enable an attacker to inject and execute arbitrary code on the system.
Patch for the critical vulnerability was released but the fix is only partial as it addresses the default permissions when initializing a new installation of the platform.
In addition, around 400k companies using this platform are affected.
On the other hand, An independent security audit revealed that there were 2,500 SAP systems exposed to the internet and vulnerable to the bug, according to sensorstechforum