Vulnerability Name:

CVE-2021-33678 (CCN-205396)

Assigned:2021-07-13
Published:2021-07-13
Updated:2022-10-05
Summary:A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged attacker to inject code that can be executed by the application. An attacker could thereby delete some critical information and could make the SAP system completely unavailable.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H)
5.9 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): High
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H)
5.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): Complete
8.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-95
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2021-33678

Source: MISC
Type: Exploit, Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html

Source: FULLDISC
Type: Exploit, Mailing List, Third Party Advisory
20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)

Source: XF
Type: UNKNOWN
sap-cve202133678-dos(205396)

Source: CCN
Type: SAP Web site
SAP Support Note 3048657

Source: MISC
Type: Permissions Required
https://launchpad.support.sap.com/#/notes/3048657

Source: CCN
Type: Packet Storm Security [05-19-2022]
SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization

Source: CCN
Type: SAP Security Patch Day - July 2021
SAP Security Patch Day - July 2021

Source: MISC
Type: Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506

Vulnerable Configuration:Configuration 1:
  • cpe:/a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:75a:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:75b:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:75c:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:75d:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:75e:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:75f:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:sap:netweaver_as_abap:700:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:701:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:702:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:730:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:731:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:740:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:750:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:751:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:752:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:711:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:75a:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:75b:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:75c:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:75d:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:75e:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:75f:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    sap netweaver application server abap 702
    sap netweaver application server abap 750
    sap netweaver application server abap 752
    sap netweaver application server abap 700
    sap netweaver application server abap 710
    sap netweaver application server abap 730
    sap netweaver application server abap 731
    sap netweaver application server abap 711
    sap netweaver application server abap 740
    sap netweaver application server abap 751
    sap netweaver application server abap 75a
    sap netweaver application server abap 75b
    sap netweaver application server abap 75c
    sap netweaver application server abap 75d
    sap netweaver application server abap 75e
    sap netweaver application server abap 701
    sap netweaver application server abap 75f
    sap netweaver as abap 700
    sap netweaver as abap 701
    sap netweaver as abap 702
    sap netweaver as abap 730
    sap netweaver as abap 731
    sap netweaver as abap 740
    sap netweaver as abap 750
    sap netweaver as abap 751
    sap netweaver as abap 752
    sap netweaver as abap 711
    sap netweaver as abap 75a
    sap netweaver as abap 75b
    sap netweaver as abap 75c
    sap netweaver as abap 75d
    sap netweaver as abap 75e
    sap netweaver as abap 75f