CVE-2021-33671 — Missing Authorization in SE SAP Netweaver Guided Procedures

CWE-862 — Missing Authorization3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 55.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Guided Procedures SAP Netweaver Guided Procedures

Timeline

PublishedJul 14

Latest updateMay 24

Description

SAP NetWeaver Guided Procedures (Administration Workset), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. The impact of missing authorization could result to abuse of functionality restricted to a particular user group, and could allow unauthorized users to read, modify or delete restricted data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_guided_procedures< 7.10+5

▶NVDsap/netweaver_guided_procedures6 versions+5

🔴Vulnerability Details

GHSA

GHSA-8c4x-5xx5-w877: SAP NetWeaver Guided Procedures (Administration Workset), versions - 7↗2022-05-24

▶

CVEList

CVE-2021-33671: SAP NetWeaver Guided Procedures (Administration Workset), versions - 7↗2021-07-14

▶