CVE-2021-37535: 
SAP NetWeaver Application Server ABAP vulnerability analysis and mitigation

SAP NetWeaver Application Server Java (JMS Connector Service) versions 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50 were found to contain a critical security vulnerability due to missing authorization checks for user privileges. The vulnerability, tracked as CVE-2021-37535, was disclosed in September 2021 and received a maximum CVSS score of 10.0 (SecurityWeek, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) by NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. SAP SE assigned an even higher CVSS v3.0 score of 10.0 with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The vulnerability is classified as CWE-862: Missing Authorization, indicating a fundamental security control issue where necessary authorization checks are not performed (NVD).

The vulnerability allows an attacker to bypass authorization checks, potentially gaining unauthorized access to sensitive system resources. Due to the missing authorization checks, an attacker could execute privileged operations without proper authentication, leading to potential system compromise (SecurityWeek).

SAP has released security patches to address this vulnerability as part of their September 2021 Security Patch Day. Organizations running affected versions of SAP NetWeaver Application Server Java are strongly advised to apply the available security updates (SecurityWeek).