SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 3073325
was released on
10.08.2021 and deals with
"[CVE-2021-33700] Missing Authentication check in SAP Business One" within SAP Business One.
We advice you to follow the instructions, to resolve
missing authentication check
high potential for exploitation
in component SBO-CRO-SEC.
According to SAP Security Advisory team a workaround exists. It is advisable to implement the correction as part of maintenance.
Risk specificationSAP Business One allows a local attacker with access to the victim's browser under certain circumstances to log in as the victim without knowing his/her password.
The vulnerable function has been disabled. Customers need to implement or upgrade to SAP Business One 10.0 PL2105 Hotfix1. Alternativly, the consulting team has proposed the following: "Don't use the lockout function and set the timeout to max value(admin user: 999 minutes, normal user: 30 minutes).". The suggestion may be considered, as a workaround or compensating mitigation. We recommend installing/applying the correction wherever possible and as soon as possible. Base your decision on whether or not to apply the patch on your companies and systems risk perspective and consider the provided CVSS 7.0 score.
The advisory is valid for
- 10.0 [CVE-2020-26829] Missing Authentication Check in SAP NetWeaver AS JAVA (P2P Cluster Communication)
- 10.0 [CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring)
- 9.8 [CVE-2020-6198] Missing Authentication check in SAP Solution Manager (Diagnostics Agent)
- 9.0 [CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform
- 8.6 [CVE-2020-6235] Missing authentication check in SAP Solution Manager (Diagnostics Agent )