CVE-2021-44235: OS Command Injection
First published: Tue Dec 14 2021(Updated: )
Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction class builder. This could allow execution of arbitrary commands on the operating system, that could highly impact the Confidentiality, Integrity and Availability of the system.
Credit: cna@sap.com cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP NetWeaver Application Server ABAP | =700 | |
| SAP NetWeaver Application Server ABAP | =701 | |
| SAP NetWeaver Application Server ABAP | =702 | |
| SAP NetWeaver Application Server ABAP | =710 | |
| SAP NetWeaver Application Server ABAP | =711 | |
| SAP NetWeaver Application Server ABAP | =730 | |
| SAP NetWeaver Application Server ABAP | =731 | |
| SAP NetWeaver Application Server ABAP | =740 | |
| SAP NetWeaver Application Server ABAP | =750 | |
| SAP NetWeaver Application Server ABAP | =751 | |
| SAP NetWeaver Application Server ABAP | =752 | |
| SAP NetWeaver Application Server ABAP | =753 | |
| SAP NetWeaver Application Server ABAP | =754 | |
| SAP NetWeaver Application Server ABAP | =755 | |
| SAP NetWeaver Application Server ABAP | =756 | |
| =700 | ||
| =701 | ||
| =702 | ||
| =710 | ||
| =711 | ||
| =730 | ||
| =731 | ||
| =740 | ||
| =750 | ||
| =751 | ||
| =752 | ||
| =753 | ||
| =754 | ||
| =755 | ||
| =756 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-44235?
CVE-2021-44235 is a vulnerability in SAP NetWeaver AS ABAP versions 700-756 that allows an attacker with high privileges and direct access to the SAP System to inject code when executing with a certain transaction class builder.
What is the severity of CVE-2021-44235?
CVE-2021-44235 has a severity rating of 6.7 (high).
Which versions of SAP NetWeaver AS ABAP are affected by CVE-2021-44235?
CVE-2021-44235 affects versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, and 756 of SAP NetWeaver AS ABAP.
How can an attacker exploit CVE-2021-44235?
An attacker with high privileges and direct access to the SAP System can exploit CVE-2021-44235 by injecting code during execution with a specific transaction class builder.
Is there a patch available for CVE-2021-44235?
Yes, SAP has released a security patch for CVE-2021-44235. Users are advised to apply the patch as soon as possible.
- collector/nvd-index
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/description
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/author
- agent/tags
- agent/softwarecombine
- agent/event
- vendor/sap
- canonical/sap netweaver application server abap
- version/sap netweaver application server abap/700
- version/sap netweaver application server abap/701
- version/sap netweaver application server abap/702
- version/sap netweaver application server abap/710
- version/sap netweaver application server abap/711
- version/sap netweaver application server abap/730
- version/sap netweaver application server abap/731
- version/sap netweaver application server abap/740
- version/sap netweaver application server abap/750
- version/sap netweaver application server abap/751
- version/sap netweaver application server abap/752
- version/sap netweaver application server abap/753
- version/sap netweaver application server abap/754
- version/sap netweaver application server abap/755
- version/sap netweaver application server abap/756