CVE-2021-33705

moderate-risk
Published 2021-09-15

The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability.

Do I need to act?

-
0.69% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
NETWORK / LOW complexity

Affected Products (7)

Netweaver Portal
Netweaver Portal
Netweaver Portal
Netweaver Portal
Netweaver Portal
Netweaver Portal
Netweaver Portal

Affected Vendors

Sap

References (8)

Third Party Advisory http://packetstormsecurity.com/files/165743/SAP-Enterprise-Portal-iviewCatcherEd...
Mailing List http://seclists.org/fulldisclosure/2022/Jan/72
Permissions Required https://launchpad.support.sap.com/#/notes/3074844
Patch https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806
Third Party Advisory http://packetstormsecurity.com/files/165743/SAP-Enterprise-Portal-iviewCatcherEd...
Mailing List http://seclists.org/fulldisclosure/2022/Jan/72
Permissions Required https://launchpad.support.sap.com/#/notes/3074844
Patch https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806
44
/ 100
moderate-risk
Severity 28/34 · Critical
Exploitability 2/34 · Minimal
Exposure 14/34 · Moderate