CVE-2021-21485

CWE-200 — Information Exposure3 documents3 sources

Severity

6.5MEDIUM

EPSS

0.3%

top 49.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver AS FOR Java (telnet Commands)SAP Netweaver Application Server Java

Timeline

PublishedApr 13

Latest updateMay 24

Description

An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_as_for_java_(telnet_commands)4 versions+3

▶NVDsap/netweaver_application6 versions+5

🔴Vulnerability Details

GHSA

GHSA-88r2-jwq3-7x27: An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow t↗2022-05-24

▶

CVEList

CVE-2021-21485: An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow t↗2021-04-13

▶