Vulnerabilites related to SAP SE - SAP NetWeaver AS ABAP (Reconciliation Framework)
cve-2021-33678
Vulnerability from cvelistv5
Published
2021-07-14 11:04
Modified
2024-08-03 23:58
Summary
A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged attacker to inject code that can be executed by the application. An attacker could thereby delete some critical information and could make the SAP system completely unavailable.
Impacted products
Vendor Product Version
SAP SE SAP NetWeaver AS ABAP (Reconciliation Framework) Version: < 700
Version: < 701
Version: < 702
Version: < 710
Version: < 711
Version: < 730
Version: < 731
Version: < 740
Version: < 750
Version: < 751
Version: < 752
Version: < 75A
Version: < 75B
Version: < 75C
Version: < 75D
Version: < 75E
Version: < 75F
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T23:58:22.357Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://launchpad.support.sap.com/#/notes/3048657",
               },
               {
                  name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
                  tags: [
                     "mailing-list",
                     "x_refsource_FULLDISC",
                     "x_transferred",
                  ],
                  url: "http://seclists.org/fulldisclosure/2022/May/42",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "SAP NetWeaver AS ABAP (Reconciliation Framework)",
               vendor: "SAP SE",
               versions: [
                  {
                     status: "affected",
                     version: "< 700",
                  },
                  {
                     status: "affected",
                     version: "< 701",
                  },
                  {
                     status: "affected",
                     version: "< 702",
                  },
                  {
                     status: "affected",
                     version: "< 710",
                  },
                  {
                     status: "affected",
                     version: "< 711",
                  },
                  {
                     status: "affected",
                     version: "< 730",
                  },
                  {
                     status: "affected",
                     version: "< 731",
                  },
                  {
                     status: "affected",
                     version: "< 740",
                  },
                  {
                     status: "affected",
                     version: "< 750",
                  },
                  {
                     status: "affected",
                     version: "< 751",
                  },
                  {
                     status: "affected",
                     version: "< 752",
                  },
                  {
                     status: "affected",
                     version: "< 75A",
                  },
                  {
                     status: "affected",
                     version: "< 75B",
                  },
                  {
                     status: "affected",
                     version: "< 75C",
                  },
                  {
                     status: "affected",
                     version: "< 75D",
                  },
                  {
                     status: "affected",
                     version: "< 75E",
                  },
                  {
                     status: "affected",
                     version: "< 75F",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged attacker to inject code that can be executed by the application. An attacker could thereby delete some critical information and could make the SAP system completely unavailable.",
            },
         ],
         metrics: [
            {
               cvssV3_0: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 6.5,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "HIGH",
                  privilegesRequired: "HIGH",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
                  version: "3.0",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-95",
                     description: "CWE-95 (Code Injection)",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-05-19T17:06:18",
            orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            shortName: "sap",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://launchpad.support.sap.com/#/notes/3048657",
            },
            {
               name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
               tags: [
                  "mailing-list",
                  "x_refsource_FULLDISC",
               ],
               url: "http://seclists.org/fulldisclosure/2022/May/42",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cna@sap.com",
               ID: "CVE-2021-33678",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "SAP NetWeaver AS ABAP (Reconciliation Framework)",
                                 version: {
                                    version_data: [
                                       {
                                          version_name: "<",
                                          version_value: "700",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "701",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "702",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "710",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "711",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "730",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "731",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "740",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "750",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "751",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "752",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "75A",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "75B",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "75B",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "75C",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "75D",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "75E",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "75F",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "SAP SE",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged attacker to inject code that can be executed by the application. An attacker could thereby delete some critical information and could make the SAP system completely unavailable.",
                  },
               ],
            },
            impact: {
               cvss: {
                  baseScore: "6.5",
                  vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
                  version: "3.0",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-95 (Code Injection)",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506",
                     refsource: "MISC",
                     url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506",
                  },
                  {
                     name: "https://launchpad.support.sap.com/#/notes/3048657",
                     refsource: "MISC",
                     url: "https://launchpad.support.sap.com/#/notes/3048657",
                  },
                  {
                     name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
                     refsource: "FULLDISC",
                     url: "http://seclists.org/fulldisclosure/2022/May/42",
                  },
                  {
                     name: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
                     refsource: "MISC",
                     url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd",
      assignerShortName: "sap",
      cveId: "CVE-2021-33678",
      datePublished: "2021-07-14T11:04:19",
      dateReserved: "2021-05-28T00:00:00",
      dateUpdated: "2024-08-03T23:58:22.357Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}