NVD Vulnerability Detail

CVE-2021-21470

Summary	SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in applications that accept attacker-controlled XML configuration files. This occurs as logging service does not disable XML external entities when parsing configuration files and a successful exploit would result in limited impact on integrity and availability of the application.
Publication Date	Jan. 13, 2021, 12:15 a.m.
Registration Date	Jan. 26, 2021, 12:14 p.m.
Last Update	Nov. 21, 2024, 2:48 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:sap:enterprise_performance_management:1010:::::microsoft_office::
cpe:2.3:a:sap:enterprise_performance_management:2.8:::::sap_analysis_office::

Related information, measures and tools

No	URL	タグ
1	https://launchpad.support.sap.com/#/notes/3000291	Permissions Required
2	https://launchpad.support.sap.com/#/notes/3000291	Permissions Required
3	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476	Vendor Advisory
4	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-611	XML 外部エンティティ参照の不適切な制限	https://cwe.mitre.org/data/definitions/611.html

JVN Vulnerability Information

Microsoft Office 用および SAP Analysis Office 用 SAP EPM Add-in における XML 外部エンティティの脆弱性

Title	Microsoft Office 用および SAP Analysis Office 用 SAP EPM Add-in における XML 外部エンティティの脆弱性
Summary	Microsoft Office 用および SAP Analysis Office 用 SAP EPM Add-in には、XML 外部エンティティの脆弱性が存在します。
Possible impacts	情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 12, 2021, midnight
Registration Date	Sept. 15, 2021, 5:57 p.m.
Last Update	Sept. 15, 2021, 5:57 p.m.

Affected System

SAP

EPM ADD-IN 1010

EPM ADD-IN 2.8

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-21470	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21470
National Vulnerability Database (NVD)
2	CVE-2021-21470	https://nvd.nist.gov/vuln/detail/CVE-2021-21470

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-611	https://cwe.mitre.org/data/definitions/611.html

ベンダー情報

No	Name	URL
SAP Security Patch Day
1	SAP Security Patch Day - January 2021	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476

Change Log

No	Changed Details	Date of change
1	[2021年09月15日] 掲載	Sept. 15, 2021, 5:57 p.m.