A note with CVSS 7.5 for component BC-FES-INS was released by SAP on 13.04.2021. The correction/advisory 3039649 was described with "[CVE-2021-27608] Unquoted Search Path in SAPSetup" and affects the system type SAP GUI / Frontend.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as monthly patch process.
The vulnerability addressed is insecure installation defaults within SAP GUI / Frontend.
Risk specificationAn unquoted service path in SAPSetup could lead to privilege escalation during the installation process that is performed when an executable file is registered. An attacker could thereby fully compromise the target system of the installation target.
The creation of a new process has been enhanced to use a quoted path to the executable.
The advisory is valid for
- LMSAPSETUP 9.0