CVE-2021-27635
SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to integrity.
Published
2021-06-09T14:15:09.453
Last Modified
2024-11-21T05:58:20.903
Status
Modified
Source
[email protected]
Severity
CVSSv3.1: 6.5 (MEDIUM)
CVSSv2 Vector
AV:N/AC:L/Au:S/C:P/I:N/A:P
- Access Vector: NETWORK
- Access Complexity: LOW
- Authentication: SINGLE
- Confidentiality Impact: PARTIAL
- Integrity Impact: NONE
- Availability Impact: PARTIAL
Exploitability Score
8.0
Impact Score
4.9
Weaknesses
Affected Vendors & Products
References
-
http://packetstormsecurity.com/files/164592/SAP-JAVA-NetWeaver-System-Connections-XML-Injection.html
Patch, Third Party Advisory, VDB Entry
([email protected])
-
http://seclists.org/fulldisclosure/2021/Oct/28
Mailing List, Patch, Third Party Advisory
([email protected])
-
https://launchpad.support.sap.com/#/notes/3053066
Permissions Required, Vendor Advisory
([email protected])
-
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999
Vendor Advisory
([email protected])
-
http://packetstormsecurity.com/files/164592/SAP-JAVA-NetWeaver-System-Connections-XML-Injection.html
Patch, Third Party Advisory, VDB Entry
(af854a3a-2127-422b-91ae-364da2661108)
-
http://seclists.org/fulldisclosure/2021/Oct/28
Mailing List, Patch, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
https://launchpad.support.sap.com/#/notes/3053066
Permissions Required, Vendor Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999
Vendor Advisory
(af854a3a-2127-422b-91ae-364da2661108)