On 14.09.2021 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP Business One.
SAP Note 3069032 addresses "[CVE-2021-33685] Directory Traversal vulnerability in SAP Business One" to prevent directory traversal with a medium risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specificationSAP Business One allows through insufficient path information a low-level authenticated attacker to access files that are outside of the restricted directory. A successful attack results in access to sensitive data.
The input is now correctly validated. Customers need to implement or upgrade to SAP Business One 10.0 PL2108
The advisory is valid for