ByteOS Network

NVD Vulnerability Details :

CVE-2021-21474

Analyzed

Source-cna@sap.com

Published At-09 Feb, 2021 | 21:15

Updated At-12 Jul, 2022 | 17:42

SAP HANA Database, versions - 1.0, 2.0, accepts SAML tokens with MD5 digest, an attacker who manages to obtain an MD5-digest signed SAML Assertion issued for an SAP HANA instance might be able to tamper with it and alter it in a way that the digest continues to be the same and without invalidating the digital signature, this allows them to impersonate as user in HANA database and be able to read the contents in the database.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Primary	2.0	5.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:N

Type: Primary

Version: 3.1

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Type: Primary

Version: 2.0

Base score: 5.5

Base severity: MEDIUM

Vector:

AV:N/AC:L/Au:S/C:P/I:P/A:N

CPE Matches

SAP SE

>>hana_database>>1.00

cpe:2.3:a:sap:hana_database:1.00:*:*:*:*:*:*:*

SAP SE

>>hana_database>>2.00

cpe:2.3:a:sap:hana_database:2.00:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-326	Primary	nvd@nist.gov

CWE ID: CWE-326

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://launchpad.support.sap.com/#/notes/2992154	cna@sap.com	Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=568460543	cna@sap.com	Vendor Advisory

Hyperlink: https://launchpad.support.sap.com/#/notes/2992154

Source: cna@sap.com

Resource:

Permissions Required

Hyperlink: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=568460543

Source: cna@sap.com

Resource:

Vendor Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History