CVE-2021-27602

Name of the Vulnerable Software and Affected Versions SAP Commerce versions 1808, 1811, 1905, 2005, 2011

Description The Backoffice application in SAP Commerce allows authorized users to create source rules that are translated to drools rules when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules, enabling them to perform remote code execution and compromise the confidentiality, integrity, and availability of the application.

Recommendations For versions 1808, 1811, 1905, 2005, 2011, consider restricting access to the Backoffice application and limiting the ability to create source rules to minimize the risk of exploitation. As a temporary workaround, consider disabling the publication of source rules to certain modules within the application until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.