CVE-2021-27618

CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

4.9MEDIUM

EPSS

0.2%

top 56.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Process Integration (integration Builder Framework)SAP Netweaver Process Integration

Timeline

PublishedMay 11

Latest updateMay 24

Description

The Integration Builder Framework of SAP Process Integration versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not check the file type extension of the file uploaded from local source. An attacker could craft a malicious file and upload it to the application, which could lead to denial of service and impact the availability of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5sap_se/sap_process_integration_(integration_builder_framework)< 7.10+6

▶NVDsap/netweaver_process_integration7 versions+6

🔴Vulnerability Details

GHSA

GHSA-fq48-p44p-fxj5: The Integration Builder Framework of SAP Process Integration versions - 7↗2022-05-24

▶

OSV

glibc vulnerabilities↗2022-03-01

▶

CVEList

CVE-2021-27618: The Integration Builder Framework of SAP Process Integration versions - 7↗2021-05-11

▶