Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-33690

CWE-918 — Server-Side Request Forgery (SSRF)5 documents5 sources

Severity

9.9CRITICAL

EPSS

93.3%

top 0.20%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

SAP SE SAP Netweaver Development Infrastructure (component Build Service)SAP Netweaver Development Infrastructure

Timeline

PublishedSep 15

Latest updateMay 24

Description

Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_development_infrastructure_(component_build_service)< 7.11+5

▶NVDsap/netweaver_development_infrastructure6 versions+5

Patches

Patch: wiki.scn.sap.com ↗Patch: wiki.scn.sap.com ↗

🔴Vulnerability Details

GHSA

GHSA-76pj-fv2h-qvfg: Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions -↗2022-05-24

▶

CVEList

CVE-2021-33690: Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions -↗2021-09-15

▶

VulnCheck

SAP NetWeaver Server-Side Request Forgery (SSRF)↗2021

▶

💥Exploits & PoCs

Nuclei

SAP NetWeaver Development Infrastructure - Server Side Request Forgery

▶