CVE-2021-33701

Name of the Vulnerable Software and Affected Versions SAP S/4HANA versions prior to the fixed version DMIS Mobile Plug-In versions 2011 1 620 through 2011 1 752, 2020 SAPSCORE version 125 S4CORE versions 102 through 105

Description The issue is related to the lack of protection for the SQL query structure, allowing a remote attacker to execute arbitrary SQL queries. This can lead to a SQL Injection vulnerability, highly impacting systems' Confidentiality, Integrity, and Availability. An attacker with access to a highly privileged account can execute a manipulated query in the NDZT tool to gain access to the Superuser account.

Recommendations For SAP S/4HANA, update to a version that includes the fix for this issue. For DMIS Mobile Plug-In versions 2011 1 620 through 2011 1 752, 2020, update to a version that includes the fix for this issue. For SAPSCORE version 125, update to a version that includes the fix for this issue. For S4CORE versions 102 through 105, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the NDZT tool to minimize the risk of exploitation.