A note with CVSS 5.9 for component KM-WPB-MGR was released by SAP on 08.06.2021. The correction/advisory 3049879 was described with "[CVE-2021-27637] Information Disclosure in SAP Enable Now (SAP Workforce Performance Builder - Manager)" and affects the system type SAP Enable Now.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is information disclosure within SAP Enable Now.
Information disclosure is when an application fails to properly protect sensitive and confidential information from
parties that are not supposed to have access to the subject matter in normal circumstances.
Carefully review every information disclosure vulnerablity in regards to disclosure obligations post-GDPR for ‘Personal data’ under the Data Protection Act 2018.
Risk specificationUnder certain conditions errors in the Enable Now login process allow an attacker with physical access to the system to access information that would otherwise be restricted. This information access could lead to malicious data exposure or modification.
SAP Enable Now has been updated to properly enforce the input screening in all scenarios leading to the logon process
SAP Enable Now provides the knowledge your employees need to succeed exactly where and when it’s needed. The product exists for on-premise and cloud applications. A security guide is provided for each facet of the SAP Enable Now product.
The advisory is valid for
- 9.0 [CVE-2020-6252] Information Disclosure in SAP Adaptive Server Enterprise (Cockpit)
- 8.9 Information Disclosure in Central Order
- 8.6 [CVE-2020-6264] Information Disclosure in SAP Commerce
- 8.3 [CVE-2021-21482] Information Disclosure in SAP NetWeaver Master Data Management
- 8.2 [CVE-2021-21483] Information Disclosure in SAP Solution Manager