← Retour aux CVEs
CVE-2021-27635
MEDIUM6.5
Description
SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to integrity.
Details CVE
Score CVSS v3.16.5
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisHIGH
Interaction utilisateurNONE
Publie6/9/2021
Derniere modification11/21/2024
Sourcenvd
Observations honeypot0
Produits affectes
sap:netweaver_application_server_for_java
Faiblesses (CWE)
CWE-611
References
http://packetstormsecurity.com/files/164592/SAP-JAVA-NetWeaver-System-Connections-XML-Injection.html(cna@sap.com)
http://seclists.org/fulldisclosure/2021/Oct/28(cna@sap.com)
https://launchpad.support.sap.com/#/notes/3053066(cna@sap.com)
http://packetstormsecurity.com/files/164592/SAP-JAVA-NetWeaver-System-Connections-XML-Injection.html(af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2021/Oct/28(af854a3a-2127-422b-91ae-364da2661108)
https://launchpad.support.sap.com/#/notes/3053066(af854a3a-2127-422b-91ae-364da2661108)
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999(af854a3a-2127-422b-91ae-364da2661108)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.