Vulnerability Name: CVE-2021-44235 (CCN-215210) Assigned: 2021-12-14 Published: 2021-12-14 Updated: 2022-10-06 Summary: Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction class builder. This could allow execution of arbitrary commands on the operating system, that could highly impact the Confidentiality, Integrity and Availability of the system. CVSS v3 Severity: 6.7 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): LowPrivileges Required (PR): HighUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
8.4 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 7.3 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): AdjacentAttack Complexity (AC): LowPrivileges Required (PR): HighUser Interaction (UI): NoneScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
7.7 High (CCN CVSS v2 Vector: AV:A/AC:L/Au:S/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): Adjacent_NetworkAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Type: CWE-78 Vulnerability Consequences: Gain Access References: Source: MITRECVE-2021-44235 sap-cve202144235-cmd-exec(215210) SAP Support Note 3123196 https://launchpad.support.sap.com/#/notes/3123196 SAP Security Patch Day - December 2021 https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021 Vulnerable Configuration: Configuration 1 :cpe:/a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:sap:netweaver_as_abap:700:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:701:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:702:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:730:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:731:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:740:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:750:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:751:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:752:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:753:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:754:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:710:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:711:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:755:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:756:*:*:*:*:*:*:* BACK
sap netweaver application server abap 702
sap netweaver application server abap 750
sap netweaver application server abap 752
sap netweaver application server abap 753
sap netweaver application server abap 754
sap netweaver application server abap 755
sap netweaver application server abap 756
sap netweaver application server abap 700
sap netweaver application server abap 710
sap netweaver application server abap 701
sap netweaver application server abap 711
sap netweaver application server abap 730
sap netweaver application server abap 731
sap netweaver application server abap 740
sap netweaver application server abap 751
sap netweaver as abap 700
sap netweaver as abap 701
sap netweaver as abap 702
sap netweaver as abap 730
sap netweaver as abap 731
sap netweaver as abap 740
sap netweaver as abap 750
sap netweaver as abap 751
sap netweaver as abap 752
sap netweaver as abap 753
sap netweaver as abap 754
sap netweaver as abap 710
sap netweaver as abap 711
sap netweaver as abap 755
sap netweaver as abap 756
Denotes that component is vulnerable