← Back to CVEs

CVE-2021-27635

MEDIUM

6.5

Description

SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to integrity.

CVE Details

CVSS v3.1 Score6.5

SeverityMEDIUM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredHIGH

User InteractionNONE

Published6/9/2021

Last Modified11/21/2024

Sourcenvd

Honeypot Sightings0

Affected Products

sap:netweaver_application_server_for_java

Weaknesses (CWE)

CWE-611

References

http://packetstormsecurity.com/files/164592/SAP-JAVA-NetWeaver-System-Connections-XML-Injection.html(cna@sap.com)

http://seclists.org/fulldisclosure/2021/Oct/28(cna@sap.com)

https://launchpad.support.sap.com/#/notes/3053066(cna@sap.com)

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999(cna@sap.com)

http://packetstormsecurity.com/files/164592/SAP-JAVA-NetWeaver-System-Connections-XML-Injection.html(af854a3a-2127-422b-91ae-364da2661108)

http://seclists.org/fulldisclosure/2021/Oct/28(af854a3a-2127-422b-91ae-364da2661108)

https://launchpad.support.sap.com/#/notes/3053066(af854a3a-2127-422b-91ae-364da2661108)

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.