CyberSec.Space Logo
CVEブラウザに戻る

CVE-2021-38163

Known Exploited (CISA KEV)CRITICAL
9.9
CVSS Severity Score
EPSS Score66.6460%
EPSS Percentile93.36th
Published2021年9月14日
Last Modified2026年2月25日

Vulnerability Description

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.

Affected Platforms (CPE)

📦
Sap

Netweaver

= 7.30
📦
Sap

Netweaver

= 7.31
📦
Sap

Netweaver

= 7.40
📦
Sap

Netweaver

= 7.50

References & Advisories

🔗 https://launchpad.support.sap.com/#/notes/3084487
🔗 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405
🔗 https://launchpad.support.sap.com/#/notes/3084487
🔗 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405
🔗 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38163

関連する脆弱性情報

CVE-2020-2682910.0

SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections fro...

CVE-2010-532610.0

The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, whic...

CVE-2020-628710.0

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which...

CVE-2012-434110.0

Multiple stack-based buffer overflows in msg_server.exe in SAP NetWeaver ABAP 7.x allow remote attackers to cause a denial of serv...