CVE-2021-27602

high-risk

Published 2021-04-13

SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.

Do I need to act?

1.9% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.9/10 Critical

NETWORK / LOW complexity

Affected Products (5)

Commerce

Affected Vendors

Sap

References (4)

Permissions Required https://launchpad.support.sap.com/#/notes/3040210

Vendor Advisory https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649

Permissions Required https://launchpad.support.sap.com/#/notes/3040210

Vendor Advisory https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649

/ 100

high-risk

Severity 33/34 · Critical

Exploitability 5/34 · Minimal

Exposure 12/34 · Low