Details of VAR-202106-1530

ID

VAR-202106-1530

CVE

CVE-2021-33663

TITLE

SAP NetWeaver AS ABAP Authentication Vulnerability in Microsoft

Trust: 0.8

sources: JVNDB: JVNDB-2021-007823

DESCRIPTION

SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthorized attacker to insert cleartext commands due to improper restriction of I/O buffering into encrypted SMTP sessions over the network which can partially impact the integrity of the application. SAP NetWeaver AS ABAP Contains an improper authentication vulnerability.Information may be tampered with

Trust: 1.62

sources: NVD: CVE-2021-33663 // JVNDB: JVNDB-2021-007823

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver as abap	scope:	eq	version:	kernel_7.73	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	krnl64uc_7.53	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	kernel_7.53	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	krnl64uc_7.22	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	kernel_8.04	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	krnl64nuc_7.49	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	kernel_7.81	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	krnl32uc_7.22	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	kernel_7.82	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	krnl32nuc_7.22ext	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	krnl64uc_7.49	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	krnl64uc_7.73	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	krnl64uc_7.22ext	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	krnl64nuc_7.22ext	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	krnl64nuc_7.22	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	kernel_7.49	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	krnl32uc_7.22ext	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	kernel_7.84	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	kernel_7.77	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	kernel_7.22	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	kernel_7.83	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	krnl32nuc_7.22	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	krnl64uc_8.04	Trust: 1.0
vendor:	sap	model:	netweaver as abap	scope:	eq	version:	-	Trust: 0.8
vendor:	sap	model:	netweaver as abap	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-007823 // NVD: CVE-2021-33663

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2021-33663
value:	MEDIUM
Trust: 1.8
CNNVD:	CNNVD-202106-441
value:	MEDIUM
Trust: 0.6

NVD:	CVE-2021-33663
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.8

NVD:	CVE-2021-33663
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2021-33663
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2021-007823 // CNNVD: CNNVD-202106-441 // NVD: CVE-2021-33663

PROBLEMTYPE DATA

problemtype:	CWE-863	Trust: 1.0
problemtype:	Bad authentication (CWE-863) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-007823 // NVD: CVE-2021-33663

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-441

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202106-441

CONFIGURATIONS

sources: NVD: CVE-2021-33663

PATCH

title:	SAP Security Patch Day - June 2021	url:	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=578125999	Trust: 0.8
title:	SAP Netweaver Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=154223	Trust: 0.6

sources: JVNDB: JVNDB-2021-007823 // CNNVD: CNNVD-202106-441

EXTERNAL IDS

db:	NVD	id:	CVE-2021-33663	Trust: 3.2
db:	JVNDB	id:	JVNDB-2021-007823	Trust: 0.8
db:	CNNVD	id:	CNNVD-202106-441	Trust: 0.6

sources: JVNDB: JVNDB-2021-007823 // CNNVD: CNNVD-202106-441 // NVD: CVE-2021-33663

REFERENCES

url:	https://launchpad.support.sap.com/#/notes/3030604	Trust: 1.6
url:	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=578125999	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-33663	Trust: 0.8
url:	https://vigilance.fr/vulnerability/sap-multiple-vulnerabilities-of-june-2021-35633	Trust: 0.6

sources: JVNDB: JVNDB-2021-007823 // CNNVD: CNNVD-202106-441 // NVD: CVE-2021-33663

SOURCES

db:	JVNDB	id:	JVNDB-2021-007823
db:	CNNVD	id:	CNNVD-202106-441
db:	NVD	id:	CVE-2021-33663

LAST UPDATE DATE

2022-07-14T22:24:19.359000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2021-007823	date:	2022-02-24T08:30:00
db:	CNNVD	id:	CNNVD-202106-441	date:	2022-07-14T00:00:00
db:	NVD	id:	CVE-2021-33663	date:	2021-06-15T16:28:00

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2021-007823	date:	2022-02-24T00:00:00
db:	CNNVD	id:	CNNVD-202106-441	date:	2021-06-08T00:00:00
db:	NVD	id:	CVE-2021-33663	date:	2021-06-09T14:15:00