Lucene search

SapCVE-2021-44235

HistoryDec 14, 2021 - 4:15 p.m.

CVE-2021-44235

2021-12-1416:15:09

CWE-78

sap

web.nvd.nist.gov

sap

netweaver

abap

code injection

cve-2021-44235

nvd

security vulnerability

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

High

EPSS

Percentile

13.1%

JSON

Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction class builder. This could allow execution of arbitrary commands on the operating system, that could highly impact the Confidentiality, Integrity and Availability of the system.

Affected configurations

Nvd

Node

sapnetweaver_application_server_abapMatch700

sapnetweaver_application_server_abapMatch701

sapnetweaver_application_server_abapMatch702

sapnetweaver_application_server_abapMatch710

sapnetweaver_application_server_abapMatch711

sapnetweaver_application_server_abapMatch730

sapnetweaver_application_server_abapMatch731

sapnetweaver_application_server_abapMatch740

sapnetweaver_application_server_abapMatch750

sapnetweaver_application_server_abapMatch751

sapnetweaver_application_server_abapMatch752

sapnetweaver_application_server_abapMatch753

sapnetweaver_application_server_abapMatch754

sapnetweaver_application_server_abapMatch755

sapnetweaver_application_server_abapMatch756

VendorProductVersionCPE
sapnetweaver_application_server_abap700cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*
sapnetweaver_application_server_abap701cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*
sapnetweaver_application_server_abap702cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*
sapnetweaver_application_server_abap710cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*
sapnetweaver_application_server_abap711cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:*
sapnetweaver_application_server_abap730cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*
sapnetweaver_application_server_abap731cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*
sapnetweaver_application_server_abap740cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*
sapnetweaver_application_server_abap750cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*
sapnetweaver_application_server_abap751cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sap	netweaver_application_server_abap	700	cpe:2.3:a:sap:netweaver_application_server_abap:700:::::::*
sap	netweaver_application_server_abap	701	cpe:2.3:a:sap:netweaver_application_server_abap:701:::::::*
sap	netweaver_application_server_abap	702	cpe:2.3:a:sap:netweaver_application_server_abap:702:::::::*
sap	netweaver_application_server_abap	710	cpe:2.3:a:sap:netweaver_application_server_abap:710:::::::*
sap	netweaver_application_server_abap	711	cpe:2.3:a:sap:netweaver_application_server_abap:711:::::::*
sap	netweaver_application_server_abap	730	cpe:2.3:a:sap:netweaver_application_server_abap:730:::::::*
sap	netweaver_application_server_abap	731	cpe:2.3:a:sap:netweaver_application_server_abap:731:::::::*
sap	netweaver_application_server_abap	740	cpe:2.3:a:sap:netweaver_application_server_abap:740:::::::*
sap	netweaver_application_server_abap	750	cpe:2.3:a:sap:netweaver_application_server_abap:750:::::::*
sap	netweaver_application_server_abap	751	cpe:2.3:a:sap:netweaver_application_server_abap:751:::::::*

Rows per page:

1-10 of 151

CNA Affected

[
  {
    "product": "SAP NetWeaver AS ABAP",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "< 700"
      },
      {
        "status": "affected",
        "version": "< 701"
      },
      {
        "status": "affected",
        "version": "< 702"
      },
      {
        "status": "affected",
        "version": "< 710"
      },
      {
        "status": "affected",
        "version": "< 711"
      },
      {
        "status": "affected",
        "version": "< 730"
      },
      {
        "status": "affected",
        "version": "< 731"
      },
      {
        "status": "affected",
        "version": "< 740"
      },
      {
        "status": "affected",
        "version": "< 750"
      },
      {
        "status": "affected",
        "version": "< 751"
      },
      {
        "status": "affected",
        "version": "< 752"
      },
      {
        "status": "affected",
        "version": "< 753"
      },
      {
        "status": "affected",
        "version": "< 754"
      },
      {
        "status": "affected",
        "version": "< 755"
      },
      {
        "status": "affected",
        "version": "< 756"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/3123196

wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

High

EPSS

Percentile

13.1%

JSON

Related for CVE-2021-44235