CVE-2021-38163

2021-09-1411:21:36

sap

www.cve.org

sap netweaver

visual composer

cve-2021-38163

upload vulnerability

non-admin user

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.922

Percentile

99.0%

JSON

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP NetWeaver (Visual Composer 7.0 RT)",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "7.30"
      },
      {
        "status": "affected",
        "version": "7.31"
      },
      {
        "status": "affected",
        "version": "7.40"
      },
      {
        "status": "affected",
        "version": "7.50"
      }
    ]
  }
]