CVE-2021-21492

Summary

SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate logon group in URLs, resulting in a content spoofing vulnerability when directory listing is enabled.

Affected Software

VendorProductVersion RangeStatus
SAP SESAP NetWeaver AS for JAVA (HTTP Service)< 7.10affected
SAP SESAP NetWeaver AS for JAVA (HTTP Service)< 7.11affected
SAP SESAP NetWeaver AS for JAVA (HTTP Service)< 7.20affected
SAP SESAP NetWeaver AS for JAVA (HTTP Service)< 7.30affected
SAP SESAP NetWeaver AS for JAVA (HTTP Service)< 7.31affected
SAP SESAP NetWeaver AS for JAVA (HTTP Service)< 7.40affected
SAP SESAP NetWeaver AS for JAVA (HTTP Service)< 7.50affected

Weaknesses

  • CWE-290: Content Spoofing (CWE-290)

ADP Enrichment

CVE Program Container

Additional References

References