CVE-2021-40498
CVE-2021-40498 is a medium-severity vulnerability in Sap Successfactors Mobile with a CVSS 3.x base score of 5.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: Medium (CVSS 3.x base score 5.5)
- CVSS v2: 2.1
- EPSS exploit prediction: 0% (12th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Sap Successfactors Mobile
- Published:
- Last modified:
Description
A vulnerability has been identified in SAP SuccessFactors Mobile Application for Android - versions older than 2108, which allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, which can lead to denial of service. The vulnerability is related to Android implementation methods that are widely used across Android mobile applications, and such methods are embedded into the SAP SuccessFactors mobile application. These Android methods begin executing once the user accesses their profile on the mobile application. While executing, it can also pick up the activities from other Android applications that are running in the background of the users device and are using the same types of methods in the application. Such vulnerability can also lead to phishing attacks that can be used for staging other types of attacks.
Frequently asked questions
- What is CVE-2021-40498?
- A vulnerability has been identified in SAP SuccessFactors Mobile Application for Android - versions older than 2108, which allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, which can lead to denial of service. The vulnerability is related to Android implementation methods that are widely used across Android mobile applications, and such methods are embedded into the SAP SuccessFactors mobile application. These Android methods begin executing once the user accesses their profile on the mobile application. While executing, it can also pick up the activities from other Android applications that are running in the background of the users device and are using the same types of methods in the application. Such vulnerability can also lead to phishing attacks that can be used for staging other types of attacks.
- How severe is CVE-2021-40498?
- CVE-2021-40498 has a CVSS 3.x base score of 5.5, rated medium severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2021-40498 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (12th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-40498?
- CVE-2021-40498 affects Sap Successfactors Mobile. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-40498?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2021-40498 published?
- CVE-2021-40498 was published on 2021-10-12 and last updated on 2026-06-17.
References
- https://launchpad.support.sap.com/#/notes/3077635
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983
Affected products (1)
- cpe:2.3:a:sap:successfactors_mobile:*:*:*:*:*:android:*:*
More vulnerabilities in Sap Successfactors Mobile
- CVE-2022-35291 — High (CVSS 8.1): Due to misconfigured application endpoints, SAP SuccessFactors attachment APIs allow attackers with user privileges to…