CVE-2021-27611 — Code Injection in SE SAP Netweaver AS Abap

CWE-94 — Code Injection CWE-74 — Injection3 documents3 sources

Severity

6.7MEDIUMNVD

EPSS

0.1%

top 70.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver AS Abap SAP Netweaver Application Server Abap

Timeline

PublishedMay 11

Latest updateMay 24

Description

SAP NetWeaver AS ABAP, versions - 700, 701, 702, 730, 731, allow a high privileged attacker to inject malicious code by executing an ABAP report when the attacker has access to the local SAP system. The attacker could then get access to data, overwrite them, or execute a denial of service.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_as_abap< 700+4

▶NVDsap/netweaver_application5 versions+4

🔴Vulnerability Details

GHSA

GHSA-jx2j-mp5m-4xfh: SAP NetWeaver AS ABAP, versions - 700, 701, 702, 730, 731, allow a high privileged attacker to inject malicious code by executing an ABAP report when↗2022-05-24

▶

CVEList

CVE-2021-27611: SAP NetWeaver AS ABAP, versions - 700, 701, 702, 730, 731, allow a high privileged attacker to inject malicious code by executing an ABAP report when↗2021-05-11

▶