CVE-2021-21477

Name of the Vulnerable Software and Affected Versions SAP Commerce Cloud versions 1808 through 2011

Description The issue is related to errors in code generation management, allowing an authenticated attacker with required privileges to inject malicious code in drools rules, leading to Remote Code Execution. This enables the attacker to compromise the underlying host, impairing confidentiality, integrity, and availability of the application.

Recommendations For SAP Commerce Cloud versions 1808 through 2011, consider restricting access to editing drools rules to minimize the risk of exploitation. As a temporary workaround, disabling the editing of drools rules for users with required privileges may help until a patch is available.