CVE-2021-33705 — Server-Side Request Forgery in SE SAP Netweaver Enterprise Portal

CWE-918 — Server-Side Request Forgery3 documents3 sources

Severity

8.1HIGHNVD

EPSS

0.7%

top 28.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Enterprise Portal SAP Netweaver Portal

Timeline

PublishedSep 15

Latest updateMay 24

Description

The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_enterprise_portal< 7.10+6

▶NVDsap/netweaver_portal7 versions+6

Patches

Patch: wiki.scn.sap.com ↗Patch: wiki.scn.sap.com ↗

🔴Vulnerability Details

GHSA

GHSA-rwjf-4f53-289h: The SAP NetWeaver Portal, versions - 7↗2022-05-24

▶

CVEList

CVE-2021-33705: The SAP NetWeaver Portal, versions - 7↗2021-09-15

▶