Login Sign Up

CVE-2021-33698

8.8 HIGH

📋 TL;DR

This vulnerability allows authenticated users with business authorization in SAP Business One to upload arbitrary files, including malicious scripts, due to insufficient file format validation. Attackers could execute code on the server, potentially compromising the entire system. Only SAP Business One version 10.0 installations are affected.

💻 Affected Systems

Products:
  • SAP Business One
Versions: Version 10.0
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires business authorization; not exploitable by unauthenticated users.

📦 What is this software?

Business One by Sap

View all CVEs affecting Business One →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through remote code execution, data theft, and lateral movement within the network.

🟠

Likely Case

Unauthorized file upload leading to web shell deployment and limited server access.

🟢

If Mitigated

No impact if proper file validation and access controls are implemented.

🌐 Internet-Facing: HIGH if the application is exposed to the internet, as authenticated users could exploit it remotely.
🏢 Internal Only: HIGH even internally, as authorized users could abuse their privileges to upload malicious files.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once authorized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Note 3071984

Vendor Advisory: https://launchpad.support.sap.com/#/notes/3071984

Restart Required: Yes

Instructions:

1. Download and apply SAP Note 3071984 from the SAP Support Portal. 2. Restart the SAP Business One application server. 3. Verify the patch is applied by checking the version.

🔧 Temporary Workarounds

Restrict File Upload Permissions

all

Limit file upload capabilities to trusted users only and implement strict file type validation.

Implement Web Application Firewall (WAF)

all

Deploy a WAF to block malicious file upload attempts and script execution.

🧯 If You Can't Patch

  • Monitor and audit all file upload activities for suspicious patterns.
  • Isolate the SAP Business One server from critical network segments.

🔍 How to Verify

Check if Vulnerable:

Check if SAP Business One version is 10.0 and if SAP Note 3071984 is not applied.

Check Version:

Check the SAP Business One administration console or refer to system documentation for version details.

Verify Fix Applied:

Verify that SAP Note 3071984 is installed and the application version is updated.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads, especially with script extensions like .asp, .php, .jsp
  • Failed file validation attempts

Network Indicators:

  • HTTP POST requests to upload endpoints with suspicious file types

SIEM Query:

source="sap_business_one" AND (event="file_upload" AND file_extension IN ("asp", "php", "jsp", "exe"))

📊 Metadata

CVE ID: CVE-2021-33698
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: September 15, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33698, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)