Gui For Windows
CVE-2021-40503
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
An information disclosure vulnerability exists in SAP GUI for Windows - versions < 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user’s password. With this highly sensitive data leaked, the attacker would be able to logon to the backend system the SAP GUI for Windows was connected to and launch further attacks depending on the authorizations of the user.
AnalysisAI
An information disclosure vulnerability exists in SAP GUI for Windows - versions < 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Insufficiently Protected Credentials (CWE-522), which allows attackers to obtain user credentials due to weak protection mechanisms. An information disclosure vulnerability exists in SAP GUI for Windows - versions < 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user’s password. With this highly sensitive data leaked, the attacker would be able to logon to the backend system the SAP GUI for Windows was connected to and launch further attacks depending on the authorizations of the user. Affected products include: Sap Gui For Windows.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Hash passwords with strong algorithms (bcrypt, argon2), encrypt credentials in transit and at rest, never log credentials.
More in Gui For Windows
View allSAP GUI 7.2 through 7.5 allows remote attackers to bypass intended security policy restrictions and execute arbitrary co
SAP GUI for Windows - version 7.70, 8.0, allows an unauthorized attacker to gain NTLM authentication information of a vi
In specific situations SAP GUI for Windows until and including 7.60 PL9, 7.70 PL0, forwards a user to specific malicious
Under certain conditions, the memory of SAP GUI for Windows contains the password used to log on to an SAP system, which
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today