CVE-2021-27617 — Improper Input Validation in SE SAP Process Integration

CWE-20 — Improper Input Validation CWE-400 — Uncontrolled Resource Consumption3 documents3 sources

Severity

4.9MEDIUMNVD

EPSS

0.2%

top 56.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Process Integration SAP Netweaver Process Integration

Timeline

PublishedMay 11

Latest updateMay 24

Description

The Integration Builder Framework of SAP Process Integration versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document uploaded from local source. An attacker can craft a malicious XML which when uploaded and parsed by the application, could lead to Denial-of-service conditions due to consumption of a large amount of system memory, thus highly impacting system availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5sap_se/sap_process_integration< 7.10+6

▶NVDsap/netweaver_process_integration7 versions+6

🔴Vulnerability Details

GHSA

GHSA-j8m5-m975-227f: The Integration Builder Framework of SAP Process Integration versions - 7↗2022-05-24

▶

CVEList

CVE-2021-27617: The Integration Builder Framework of SAP Process Integration versions - 7↗2021-05-11

▶