Sign-up

ID

VAR-202109-1053


CVE

CVE-2021-38163


TITLE

SAP NetWeaver  In  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-011902

DESCRIPTION

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable. SAP NetWeaver for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.25

sources: NVD: CVE-2021-38163 // JVNDB: JVNDB-2021-011902 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-38163

AFFECTED PRODUCTS

vendor:sapmodel:netweaverscope:eqversion:7.50

Trust: 1.8

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 1.8

vendor:sapmodel:netweaverscope:eqversion:7.31

Trust: 1.8

vendor:sapmodel:netweaverscope:eqversion:7.40

Trust: 1.8

vendor:sapmodel:netweaverscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-011902 // NVD: CVE-2021-38163

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-38163
value: HIGH

Trust: 1.0

cna@sap.com: CVE-2021-38163
value: CRITICAL

Trust: 1.0

NVD: CVE-2021-38163
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202109-800
value: HIGH

Trust: 0.6

VULMON: CVE-2021-38163
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-38163
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2021-38163
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

cna@sap.com: CVE-2021-38163
baseSeverity: CRITICAL
baseScore: 9.9
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.1
impactScore: 6.0
version: 3.1

Trust: 1.0

NVD: CVE-2021-38163
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2021-38163 // JVNDB: JVNDB-2021-011902 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-800 // NVD: CVE-2021-38163 // NVD: CVE-2021-38163

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.0

problemtype:OS Command injection (CWE-78) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-011902 // NVD: CVE-2021-38163

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202109-800

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:top pageurl:https://www.sap.com/japan/index.html

Trust: 0.8

title:SAP Netweaver Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=164657

Trust: 0.6

title:CVE-2021-38163url:https://github.com/core1impact/CVE-2021-38163

Trust: 0.1

title:Known Exploited Vulnerabilities Detectorurl:https://github.com/Ostorlab/KEV

Trust: 0.1

title:The Registerurl:https://www.theregister.co.uk/2022/06/15/microsoft_patch_tuesday/

Trust: 0.1

sources: VULMON: CVE-2021-38163 // JVNDB: JVNDB-2021-011902 // CNNVD: CNNVD-202109-800

EXTERNAL IDS

db:NVDid:CVE-2021-38163

Trust: 3.3

db:JVNDBid:JVNDB-2021-011902

Trust: 0.8

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021091412

Trust: 0.6

db:CNNVDid:CNNVD-202109-800

Trust: 0.6

db:VULMONid:CVE-2021-38163

Trust: 0.1

sources: VULMON: CVE-2021-38163 // JVNDB: JVNDB-2021-011902 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-800 // NVD: CVE-2021-38163

REFERENCES

url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=585106405

Trust: 1.7

url:https://launchpad.support.sap.com/#/notes/3084487

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-38163

Trust: 1.4

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021091412

Trust: 0.6

url:https://vigilance.fr/vulnerability/sap-multiple-vulnerabilities-of-september-2021-36390

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/22.html

Trust: 0.1

url:https://github.com/core1impact/cve-2021-38163

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2021-38163 // JVNDB: JVNDB-2021-011902 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-800 // NVD: CVE-2021-38163

SOURCES

db:VULMONid:CVE-2021-38163
db:JVNDBid:JVNDB-2021-011902
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202109-800
db:NVDid:CVE-2021-38163

LAST UPDATE DATE

2024-08-14T12:27:04.225000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2021-38163date:2023-08-08T00:00:00
db:JVNDBid:JVNDB-2021-011902date:2022-08-16T05:02:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202109-800date:2022-07-14T00:00:00
db:NVDid:CVE-2021-38163date:2024-06-28T14:14:53.897

SOURCES RELEASE DATE

db:VULMONid:CVE-2021-38163date:2021-09-14T00:00:00
db:JVNDBid:JVNDB-2021-011902date:2022-08-16T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202109-800date:2021-09-14T00:00:00
db:NVDid:CVE-2021-38163date:2021-09-14T12:15:10.890