8.1
CVE-2021-33705
- EPSS 0.69%
- Veröffentlicht 15.09.2021 19:15:09
- Zuletzt bearbeitet 21.11.2024 06:09:24
- Quelle cna@sap.com
- Teams Watchlist Login
- Unerledigt Login
The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SAP ≫ Netweaver Portal Version7.10
SAP ≫ Netweaver Portal Version7.11
SAP ≫ Netweaver Portal Version7.20
SAP ≫ Netweaver Portal Version7.30
SAP ≫ Netweaver Portal Version7.31
SAP ≫ Netweaver Portal Version7.40
SAP ≫ Netweaver Portal Version7.50
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.69% | 0.694 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
|
| nvd@nist.gov | 5.8 | 8.6 | 4.9 |
AV:N/AC:M/Au:N/C:P/I:P/A:N
|
| cna@sap.com | 8.1 | 2.8 | 5.2 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
|
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.