Vulnerability Name: CVE-2021-33678 (CCN-205396) Assigned: 2021-07-13 Published: 2021-07-13 Updated: 2022-10-05 Summary: A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged attacker to inject code that can be executed by the application. An attacker could thereby delete some critical information and could make the SAP system completely unavailable. CVSS v3 Severity: 6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H )5.9 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): HighUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): HighAvailibility (A): High
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H )5.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): HighUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:C )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): Complete
8.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:C )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): NoneIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Type: CWE-95 Vulnerability Consequences: Denial of Service References: Source: MITRE Type: CNACVE-2021-33678 Source: MISC Type: Exploit, Third Party Advisory, VDB Entryhttp://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html Source: FULLDISC Type: Exploit, Mailing List, Third Party Advisory20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components) Source: XF Type: UNKNOWNsap-cve202133678-dos(205396) Source: CCN Type: SAP Web siteSAP Support Note 3048657 Source: MISC Type: Permissions Requiredhttps://launchpad.support.sap.com/#/notes/3048657 Source: CCN Type: Packet Storm Security [05-19-2022]SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization Source: CCN Type: SAP Security Patch Day - July 2021SAP Security Patch Day - July 2021 Source: MISC Type: Vendor Advisoryhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 Vulnerable Configuration: Configuration 1 :cpe:/a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:75a:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:75b:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:75c:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:75d:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:75e:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:75f:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:sap:netweaver_as_abap:700:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:701:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:702:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:730:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:731:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:740:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:750:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:751:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:752:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:711:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:75a:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:75b:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:75c:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:75d:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:75e:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:75f:*:*:*:*:*:*:* Denotes that component is vulnerable BACK
sap netweaver application server abap 702
sap netweaver application server abap 750
sap netweaver application server abap 752
sap netweaver application server abap 700
sap netweaver application server abap 710
sap netweaver application server abap 730
sap netweaver application server abap 731
sap netweaver application server abap 711
sap netweaver application server abap 740
sap netweaver application server abap 751
sap netweaver application server abap 75a
sap netweaver application server abap 75b
sap netweaver application server abap 75c
sap netweaver application server abap 75d
sap netweaver application server abap 75e
sap netweaver application server abap 701
sap netweaver application server abap 75f
sap netweaver as abap 700
sap netweaver as abap 701
sap netweaver as abap 702
sap netweaver as abap 730
sap netweaver as abap 731
sap netweaver as abap 740
sap netweaver as abap 750
sap netweaver as abap 751
sap netweaver as abap 752
sap netweaver as abap 711
sap netweaver as abap 75a
sap netweaver as abap 75b
sap netweaver as abap 75c
sap netweaver as abap 75d
sap netweaver as abap 75e
sap netweaver as abap 75f