Vulnerability Name:

CVE-2021-33663 (CCN-203389)

Assigned:2021-06-08
Published:2021-06-08
Updated:2022-10-05
Summary:SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthorized attacker to insert cleartext commands due to improper restriction of I/O buffering into encrypted SMTP sessions over the network which can partially impact the integrity of the application.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
5.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N)
5.1 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2021-33663

Source: XF
Type: UNKNOWN
sap-cve202133663-sec-bypass(203389)

Source: CCN
Type: SAP Web site
SAP Support Note 3030604

Source: MISC
Type: Permissions Required, Vendor Advisory
https://launchpad.support.sap.com/#/notes/3030604

Source: CCN
Type: SAP Security Patch Day - June 2021
SAP Security Patch Day - June 2021

Source: MISC
Type: Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999

Vulnerable Configuration:Configuration 1:
  • cpe:/a:sap:netweaver_application_server_abap:krnl64nuc_7.49:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:krnl64uc_7.49:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:krnl64uc_7.53:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:kernel_7.49:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:kernel_7.53:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:kernel_7.77:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:kernel_7.81:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:kernel_7.84:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:krnl32nuc_7.22:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:kernel_7.22:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:kernel_7.73:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:kernel_7.82:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:kernel_7.83:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:kernel_8.04:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:krnl32nuc_7.22ext:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:krnl32uc_7.22:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:krnl32uc_7.22ext:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:krnl64nuc_7.22:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:krnl64nuc_7.22ext:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:krnl64uc_7.22:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:krnl64uc_7.22ext:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:krnl64uc_7.73:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:krnl64uc_8.04:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:sap:netweaver_as_abap:krnl32nuc_7.22:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:krnl32nuc_7.22ext:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:krnl32uc_7.22:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:krnl32uc_7.22ext:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:krnl64nuc_7.22:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:krnl64nuc_7.22ext:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:krnl64nuc_7.49:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:krnl64uc_8.04:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:krnl64uc_7.22:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:krnl64uc_7.22ext:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:krnl64uc_7.49:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:krnl64uc_7.53:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:krnl64uc_7.73:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:kernel_7.22:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:kernel_8.04:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:kernel_7.49:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:kernel_7.53:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:kernel_7.73:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:kernel_7.77:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:kernel_7.81:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:kernel_7.82:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:kernel_7.83:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:kernel_7.84:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    sap netweaver application server abap krnl64nuc_7.49
    sap netweaver application server abap krnl64uc_7.49
    sap netweaver application server abap krnl64uc_7.53
    sap netweaver application server abap kernel_7.49
    sap netweaver application server abap kernel_7.53
    sap netweaver application server abap kernel_7.77
    sap netweaver application server abap kernel_7.81
    sap netweaver application server abap kernel_7.84
    sap netweaver application server abap krnl32nuc_7.22
    sap netweaver application server abap kernel_7.22
    sap netweaver application server abap kernel_7.73
    sap netweaver application server abap kernel_7.82
    sap netweaver application server abap kernel_7.83
    sap netweaver application server abap kernel_8.04
    sap netweaver application server abap krnl32nuc_7.22ext
    sap netweaver application server abap krnl32uc_7.22
    sap netweaver application server abap krnl32uc_7.22ext
    sap netweaver application server abap krnl64nuc_7.22
    sap netweaver application server abap krnl64nuc_7.22ext
    sap netweaver application server abap krnl64uc_7.22
    sap netweaver application server abap krnl64uc_7.22ext
    sap netweaver application server abap krnl64uc_7.73
    sap netweaver application server abap krnl64uc_8.04
    sap netweaver as abap krnl32nuc_7.22
    sap netweaver as abap krnl32nuc_7.22ext
    sap netweaver as abap krnl32uc_7.22
    sap netweaver as abap krnl32uc_7.22ext
    sap netweaver as abap krnl64nuc_7.22
    sap netweaver as abap krnl64nuc_7.22ext
    sap netweaver as abap krnl64nuc_7.49
    sap netweaver as abap krnl64uc_8.04
    sap netweaver as abap krnl64uc_7.22
    sap netweaver as abap krnl64uc_7.22ext
    sap netweaver as abap krnl64uc_7.49
    sap netweaver as abap krnl64uc_7.53
    sap netweaver as abap krnl64uc_7.73
    sap netweaver as abap kernel_7.22
    sap netweaver as abap kernel_8.04
    sap netweaver as abap kernel_7.49
    sap netweaver as abap kernel_7.53
    sap netweaver as abap kernel_7.73
    sap netweaver as abap kernel_7.77
    sap netweaver as abap kernel_7.81
    sap netweaver as abap kernel_7.82
    sap netweaver as abap kernel_7.83
    sap netweaver as abap kernel_7.84