CVE-2021-27625 Information

Description

SAP Internet Graphics Service versions - 7.207.20EXT7.537.20_EX27.81 allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method IgsData::freeMemory() which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack no data in the system can be viewed or modified.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Reference

https://launchpad.support.sap.com/#/notes/3021050 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 http://seclists.org/fulldisclosure/2021/Oct/31 http://packetstormsecurity.com/files/164598/SAP-NetWeaver-ABAP-IGS-Memory-Corruption.html

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

5.9