During this month’s patch Tuesday, SAP has released two SAP Security notes that patch vulnerabilities in SAP Master Data Management (SAP MDM). This somewhat exotic SAP solution, acquired by SAP many years ago, is not as commonly used as many other SAP solutions, but still seen regularly at customers. SAP MDM is not build on the typical SAP Netweaver foundation but has it’s own architecture.
Our research team has found two vulnerabilities in this SAP product that can lead to privilege escalation or even a full takeover of the application. It is therefore important to implement these two SAP Security notes at your earliest convenience:
2998173 – [CVE-2021-21472] Server password not set during installation of SAP NetWeaver Master Data Management 7.1
3000897 – [CVE-2021-21475] Directory Traversal vulnerability in SAP NetWeaver Master Data Management 7.1
Particularly the first SAP security note, with a CVSS score of 6.3, is highly recommended for reviewing as a recommended server password might not have been set, leaving your SAP MDM application open for exploitation.
For more details please see the url’s of the respective SAP notes above.