CVE-2021-33670

CWE-770 — Allocation without Limits4 documents4 sources

Severity

7.5HIGH

EPSS

5.6%

top 9.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver AS FOR Java (http Service)SAP Netweaver Application Server Java

Timeline

PublishedJul 14

Latest updateMay 24

Description

SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_as_for_java_(http_service)< 7.10+6

▶NVDsap/netweaver_application7 versions+6

Patches

Patch: packetstormsecurity.com ↗Patch: seclists.org ↗Patch: packetstormsecurity.com ↗

🔴Vulnerability Details

GHSA

GHSA-cw5h-4qfv-qqr2: SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7↗2022-05-24

▶

CVEList

CVE-2021-33670: SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7↗2021-07-14

▶

📋Vendor Advisories

Red Hat

SAP-NetWeaver: Denial of Service in SAP NetWeaver JAVA↗2022-05-04

▶