CVE-2021-40503

moderate-risk
Published 2021-11-10

An information disclosure vulnerability exists in SAP GUI for Windows - versions < 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user’s password. With this highly sensitive data leaked, the attacker would be able to logon to the backend system the SAP GUI for Windows was connected to and launch further attacks depending on the authorizations of the user.

Do I need to act?

-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.8/10 High
LOCAL / LOW complexity

Affected Products (19)

Gui For Windows
Gui For Windows
Gui For Windows
Gui For Windows
Gui For Windows
Gui For Windows
Gui For Windows
Gui For Windows
Gui For Windows
Gui For Windows
Gui For Windows
Gui For Windows
Gui For Windows
Gui For Windows
Gui For Windows
Gui For Windows
Gui For Windows
Gui For Windows
Gui For Windows

Affected Vendors

Sap

References (4)

Permissions Required https://launchpad.support.sap.com/#/notes/3080106
Vendor Advisory https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864
Permissions Required https://launchpad.support.sap.com/#/notes/3080106
Vendor Advisory https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864
43
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 0/34 · Minimal
Exposure 19/34 · Moderate