CVE-2021-21492

CWE-2903 documents3 sources

Severity

4.3MEDIUM

EPSS

0.2%

top 62.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver AS FOR Java (http Service)SAP Netweaver Application Server Java

Timeline

PublishedApr 13

Latest updateMay 24

Description

SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate logon group in URLs, resulting in a content spoofing vulnerability when directory listing is enabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_as_for_java_(http_service)< 7.10+6

▶NVDsap/netweaver_application7 versions+6

🔴Vulnerability Details

GHSA

GHSA-p6c6-6r9j-859q: SAP NetWeaver Application Server Java(HTTP Service), versions - 7↗2022-05-24

▶

CVEList

CVE-2021-21492: SAP NetWeaver Application Server Java(HTTP Service), versions - 7↗2021-04-13

▶