CVE-2021-21473: 
SAP NetWeaver Application Server ABAP vulnerability analysis and mitigation

CVE-2021-21473 affects SAP NetWeaver AS ABAP and ABAP Platform, versions 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, and 755. The vulnerability was discovered in late 2020 and involves a function module SRMRFCSUBMIT_REPORT which fails to validate authorization of an authenticated user, allowing unauthorized users to execute reports in SAP NetWeaver ABAP Platform (NVD, CERT-FR).

The vulnerability stems from improper authorization checks in the SRMRFCSUBMITREPORT function module of function group SRMREP. The function uses a dynamically generated program name based on data from untrusted sources in a SUBMIT call without enforcing proper authorization checks. This allows remote attackers to execute any existing ABAP report by providing the respective report name in the import parameter REPORTNAME (SEC Consult). The vulnerability has been assigned a CVSS v3.1 Base Score of 6.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (NVD).

The vulnerability allows unauthorized users to execute reports in the SAP NetWeaver ABAP Platform without having sufficient authorizations. This can lead to unauthorized access to sensitive information and potential manipulation of business data, affecting the confidentiality and integrity of the system (NVD, SEC Consult).

SAP has released a fix for this vulnerability in SAP Security Note 3002517. Organizations are strongly advised to apply this security patch to affected systems. The patch was released in June 2021 as part of SAP's regular security update cycle (SEC Consult).