CVE-2021-33690

Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of this vulnerability depends on whether SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or internet. The CVSS score reflects the impact considering the worst-case scenario that it runs on the internet.

CVSS v3 9.9 CRITICAL
CVSS v2.0 6.5 MEDIUM

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://launchpad.support.sap.com/#/notes/3072955	Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:netweaver_development_infrastructure:7.11:::::::*
	cpe:2.3:a:sap:netweaver_development_infrastructure:7.20:::::::*
	cpe:2.3:a:sap:netweaver_development_infrastructure:7.30:::::::*
	cpe:2.3:a:sap:netweaver_development_infrastructure:7.31:::::::*
	cpe:2.3:a:sap:netweaver_development_infrastructure:7.40:::::::*
	cpe:2.3:a:sap:netweaver_development_infrastructure:7.50:::::::*

History

No history.

Information

Published : 2021-09-15 19:15

Updated : 2024-02-28 18:48

NVD link : CVE-2021-33690

Mitre link : CVE-2021-33690

CVE.ORG link : CVE-2021-33690

JSON object : View

Products Affected

sap

netweaver_development_infrastructure

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2021-33690", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2021-09-15T19:15:09.093", "references": [{"url": "https://launchpad.support.sap.com/#/notes/3072955", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806", "tags": ["Patch", "Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of this vulnerability depends on whether SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or internet. The CVSS score reflects the impact considering the worst-case scenario that it runs on the internet."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en SAP NetWeaver Development Infrastructure Component Build Service versiones - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, SAP NetWeaver Development Infrastructure Component Build Service permite a un actor de la amenaza que tenga acceso al servidor llevar a cabo ataques proxy en el servidor mediante el env\u00edo de consultas dise\u00f1adas. Debido a esto, el actor de la amenaza podr\u00eda comprometer completamente los datos confidenciales que residen en el servidor e impactar en su disponibilidad. Nota: El impacto de esta vulnerabilidad depende de si SAP NetWeaver Development Infrastructure (NWDI) se ejecuta en la intranet o en Internet. La puntuaci\u00f3n CVSS refleja el impacto considerando el peor de los casos en que se ejecuta en Internet"}], "lastModified": "2021-09-28T15:04:45.830", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_development_infrastructure:7.11:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB564502-4959-46CF-BD93-0928F97C3106"}, {"criteria": "cpe:2.3:a:sap:netweaver_development_infrastructure:7.20:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0524316B-A7BE-4A96-9B48-4FAC39ABB262"}, {"criteria": "cpe:2.3:a:sap:netweaver_development_infrastructure:7.30:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A6461DE2-4828-4A7C-B8B0-DC3E4AD2EEA9"}, {"criteria": "cpe:2.3:a:sap:netweaver_development_infrastructure:7.31:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DFA0B55C-B687-4E13-ADC9-5F1A2059DA6F"}, {"criteria": "cpe:2.3:a:sap:netweaver_development_infrastructure:7.40:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0ACDCB10-87D1-46F1-B244-E4930B53BC92"}, {"criteria": "cpe:2.3:a:sap:netweaver_development_infrastructure:7.50:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "88555DEC-8AEC-45EE-80BF-C1CE58DE3374"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}