First published: Wed Jun 09 2021(Updated: )
SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to integrity.
Credit: cna@sap.com
Affected Software | Affected Version | How to fix |
---|---|---|
SAP NetWeaver Application Server for Java | =7.20 | |
SAP NetWeaver Application Server for Java | =7.30 | |
SAP NetWeaver Application Server for Java | =7.31 | |
SAP NetWeaver Application Server for Java | =7.40 | |
SAP NetWeaver Application Server for Java | =7.50 |
http://packetstormsecurity.com/files/164592/SAP-JAVA-NetWeaver-System-Connections-XML-Injection.html
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-27635 is a vulnerability in SAP NetWeaver AS for JAVA, versions 7.20, 7.30, 7.31, 7.40, and 7.50, that allows an authenticated attacker to submit a specially crafted XML file over a network, leading to a compromise of the system.
The severity of CVE-2021-27635 is critical, with a CVSSv3 score of 6.5.
CVE-2021-27635 allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file, leading to a full compromise of the system.
SAP NetWeaver AS for JAVA versions 7.20, 7.30, 7.31, 7.40, and 7.50 are affected by CVE-2021-27635.
Yes, you can find references for CVE-2021-27635 at the following URLs: [reference1], [reference2], [reference3].