CVE-2021-38163

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.

Published: Sep 14, 2021
Updated: Jul 11, 2023
CVE: CVE-2021-38163
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9
AV:N/AC:L/Au:S/C:C/I:C/A:C

CWEs:

CWE-78
CWE-22

OWASP TOP 10:

A1 - Injection
A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
sap / netweaver	7.30	7.30.x
sap / netweaver	7.31	7.31.x
sap / netweaver	7.40	7.40.x
sap / netweaver	7.50	7.50.x

https://launchpad.support.sap.com/#/notes/3084487
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405

Vulnerability Database

289,871

CVE-2021-38163