On 10.08.2021 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP Cloud Connector.
SAP Note 3058553 addresses "[CVE-2021-33695] Multiple Vulnerabilities in SAP Cloud Connector" to prevent weak security function / cryptographic algorithm cross-site scripting (xss) code injection with a medium risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as monthly patch process, the team suggests.
Risk specificationMultiple Security vulnerabilities allow an attacker with administrative privileges to inject code or perform a cross-site-scripting vulnerability. Additional an unauthenticated attacker could leverage an error in the Certificate validation to perform a man-in-the-middle attack.
The Cloud Connector was changed to correctly validate certificates. Additionally, the Code Injection and Cross-Site-Scripting (XSS) vulnerabilities were removed.
The advisory is valid for
- SAP_CLOUD_CONNECTOR 2.0