CVE-2021-27635

CWE-611 — XML External Entity (XXE)3 documents3 sources

Severity

6.5MEDIUM

EPSS

2.1%

top 16.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver AS FOR Java SAP Netweaver Application Server FOR Java

Timeline

PublishedJun 9

Latest updateMay 24

Description

SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compr…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:HExploitability: 1.2 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_as_for_java< 7.20+4

▶NVDsap/netweaver_application5 versions+4

Patches

Patch: packetstormsecurity.com ↗Patch: seclists.org ↗Patch: packetstormsecurity.com ↗

🔴Vulnerability Details

GHSA

GHSA-353p-c73g-8fwc: SAP NetWeaver AS for JAVA, versions - 7↗2022-05-24

▶

CVEList

CVE-2021-27635: SAP NetWeaver AS for JAVA, versions - 7↗2021-06-09

▶