CVE-2021-38163
9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SAP SE | SAP NetWeaver (Visual Composer 7.0 RT) | 7.30 | affected |
| SAP SE | SAP NetWeaver (Visual Composer 7.0 RT) | 7.31 | affected |
| SAP SE | SAP NetWeaver (Visual Composer 7.0 RT) | 7.40 | affected |
| SAP SE | SAP NetWeaver (Visual Composer 7.0 RT) | 7.50 | affected |
Weaknesses
- Unrestricted File Upload
ADP Enrichment
CVE Program Container
Additional References
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405
- https://launchpad.support.sap.com/#/notes/3084487
CISA ADP Vulnrichment
- SSVC:
- Exploitation: active
- Automatable: no
- Technical Impact: total
Additional References
References
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405
- https://launchpad.support.sap.com/#/notes/3084487
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.