CVE-2021-21469

Name of the Vulnerable Software and Affected Versions SAP NetWeaver Master Data Management versions 7.10, 710, and 710.750

Description The issue arises when security guidelines for SAP NetWeaver Master Data Management running on Windows have not been thoroughly reviewed. This oversight might allow an external operator to set custom paths in the MDS server configuration. If adequate protection is not enforced, a malicious user could define UNC paths, exploiting them through an SMB relay attack to put the system at risk and obtain highly sensitive data, leading to Information Disclosure.

Recommendations For SAP NetWeaver Master Data Management versions 7.10, 710, and 710.750, ensure that security guidelines are thoroughly reviewed and adequate protection is enforced on all levels, including setting the MDS Server password and properly securing network and OS configurations. As a temporary workaround, consider restricting the ability to set custom paths in the MDS server configuration until a patch is available. Restrict access to sensitive data and UNC paths to minimize the risk of exploitation.