Vulnerability-Lookup

CVE-2021-33670 (GCVE-0-2021-33670)

Vulnerability from cvelistv5 – Published: 2021-07-14 11:04 – Updated: 2024-08-03 23:58

Summary

SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability.

Severity ?

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

Denial of Service

Assigner

sap

References

URL

Tags

	https://wiki.scn.sap.com/wiki/pages/viewpage.acti…	x_refsource_MISC
	https://launchpad.support.sap.com/#/notes/3056652	x_refsource_MISC
	http://seclists.org/fulldisclosure/2022/May/4	mailing-listx_refsource_FULLDISC
	http://packetstormsecurity.com/files/166965/SAP-N…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	SAP SE	SAP NetWeaver AS for Java (Http Service)	Affected: < 7.10 Affected: < 7.11 Affected: < 7.20 Affected: < 7.30 Affected: < 7.31 Affected: < 7.40 Affected: < 7.50

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:58:22.541Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://launchpad.support.sap.com/#/notes/3056652"
          },
          {
            "name": "20220504 Onapsis Security Advisory 2022-0002: Denial of Service in SAP NetWeaver JAVA",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/May/4"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/166965/SAP-NetWeaver-Java-Denial-Of-Service.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SAP NetWeaver AS for Java (Http Service)",
          "vendor": "SAP SE",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.10"
            },
            {
              "status": "affected",
              "version": "\u003c 7.11"
            },
            {
              "status": "affected",
              "version": "\u003c 7.20"
            },
            {
              "status": "affected",
              "version": "\u003c 7.30"
            },
            {
              "status": "affected",
              "version": "\u003c 7.31"
            },
            {
              "status": "affected",
              "version": "\u003c 7.40"
            },
            {
              "status": "affected",
              "version": "\u003c 7.50"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Denial of Service",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-04T23:06:09.000Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://launchpad.support.sap.com/#/notes/3056652"
        },
        {
          "name": "20220504 Onapsis Security Advisory 2022-0002: Denial of Service in SAP NetWeaver JAVA",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/May/4"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/166965/SAP-NetWeaver-Java-Denial-Of-Service.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2021-33670",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SAP NetWeaver AS for Java (Http Service)",
                      "version": {
                        "version_data": [
                          {
                            "version_name": "\u003c",
                            "version_value": "7.10"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "7.11"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "7.20"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "7.30"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "7.31"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "7.40"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "7.50"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SAP SE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "7.5",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Denial of Service"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506",
              "refsource": "MISC",
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"
            },
            {
              "name": "https://launchpad.support.sap.com/#/notes/3056652",
              "refsource": "MISC",
              "url": "https://launchpad.support.sap.com/#/notes/3056652"
            },
            {
              "name": "20220504 Onapsis Security Advisory 2022-0002: Denial of Service in SAP NetWeaver JAVA",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2022/May/4"
            },
            {
              "name": "http://packetstormsecurity.com/files/166965/SAP-NetWeaver-Java-Denial-Of-Service.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/166965/SAP-NetWeaver-Java-Denial-Of-Service.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2021-33670",
    "datePublished": "2021-07-14T11:04:11.000Z",
    "dateReserved": "2021-05-28T00:00:00.000Z",
    "dateUpdated": "2024-08-03T23:58:22.541Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-CW5H-4QFV-QQR2

Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-33670"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-14T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability.",
  "id": "GHSA-cw5h-4qfv-qqr2",
  "modified": "2022-05-24T19:08:04Z",
  "published": "2022-05-24T19:08:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33670"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3056652"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/166965/SAP-NetWeaver-Java-Denial-Of-Service.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/May/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CNVD-2022-69288

Vulnerability from cnvd - Published: 2022-10-17

Title

SAP NetWeaver AS for Java拒绝服务漏洞

Description

SAP NetWeaver AS是德国思爱普（SAP）公司的一款SAP网络应用服务器。它不仅能提供网络服务，且还是SAP软件的基本平台。 SAP NetWeaver AS for Java存在拒绝服务漏洞，攻击者可利用该漏洞通过发送具有不同方法类型的多个Http请求，导致拒绝服务。

Severity

中

Patch Name

SAP NetWeaver AS for Java拒绝服务漏洞的补丁

Patch Description

SAP NetWeaver AS是德国思爱普（SAP）公司的一款SAP网络应用服务器。它不仅能提供网络服务，且还是SAP软件的基本平台。 SAP NetWeaver AS for Java存在拒绝服务漏洞，攻击者可利用该漏洞通过发送具有不同方法类型的多个Http请求，导致拒绝服务。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506

Reference

https://vigilance.fr/vulnerability/SAP-multiple-vulnerabilities-of-July-2021-35875

Impacted products

Name
['SAP NetWeaver AS for Java 7.20', 'SAP NetWeaver AS for Java 7.30', 'SAP NetWeaver AS for Java 7.31', 'SAP NetWeaver AS for Java 7.40', 'SAP NetWeaver AS for Java 7.50', 'SAP NetWeaver AS for Java 7.10', 'SAP NetWeaver AS for Java 7.11']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-33670",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-33670"
    }
  },
  "description": "SAP NetWeaver AS\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u6b3eSAP\u7f51\u7edc\u5e94\u7528\u670d\u52a1\u5668\u3002\u5b83\u4e0d\u4ec5\u80fd\u63d0\u4f9b\u7f51\u7edc\u670d\u52a1\uff0c\u4e14\u8fd8\u662fSAP\u8f6f\u4ef6\u7684\u57fa\u672c\u5e73\u53f0\u3002\n\nSAP NetWeaver AS for Java\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u53d1\u9001\u5177\u6709\u4e0d\u540c\u65b9\u6cd5\u7c7b\u578b\u7684\u591a\u4e2aHttp\u8bf7\u6c42\uff0c\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-69288",
  "openTime": "2022-10-17",
  "patchDescription": "SAP NetWeaver AS\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u6b3eSAP\u7f51\u7edc\u5e94\u7528\u670d\u52a1\u5668\u3002\u5b83\u4e0d\u4ec5\u80fd\u63d0\u4f9b\u7f51\u7edc\u670d\u52a1\uff0c\u4e14\u8fd8\u662fSAP\u8f6f\u4ef6\u7684\u57fa\u672c\u5e73\u53f0\u3002\r\n\r\nSAP NetWeaver AS for Java\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u53d1\u9001\u5177\u6709\u4e0d\u540c\u65b9\u6cd5\u7c7b\u578b\u7684\u591a\u4e2aHttp\u8bf7\u6c42\uff0c\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP NetWeaver AS for Java\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "SAP NetWeaver AS for Java 7.20",
      "SAP NetWeaver AS for Java 7.30",
      "SAP NetWeaver AS for Java 7.31",
      "SAP NetWeaver AS for Java 7.40",
      "SAP NetWeaver AS for Java 7.50",
      "SAP NetWeaver AS for Java 7.10",
      "SAP NetWeaver AS for Java 7.11"
    ]
  },
  "referenceLink": "https://vigilance.fr/vulnerability/SAP-multiple-vulnerabilities-of-July-2021-35875",
  "serverity": "\u4e2d",
  "submitTime": "2021-07-15",
  "title": "SAP NetWeaver AS for Java\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

FKIE_CVE-2021-33670

Vulnerability from fkie_nvd - Published: 2021-07-14 12:15 - Updated: 2024-11-21 06:09

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
cna@sap.com	http://packetstormsecurity.com/files/166965/SAP-NetWeaver-Java-Denial-Of-Service.html	Patch, Third Party Advisory, VDB Entry
cna@sap.com	http://seclists.org/fulldisclosure/2022/May/4	Mailing List, Patch, Third Party Advisory
cna@sap.com	https://launchpad.support.sap.com/#/notes/3056652	Permissions Required
cna@sap.com	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/166965/SAP-NetWeaver-Java-Denial-Of-Service.html	Patch, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2022/May/4	Mailing List, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://launchpad.support.sap.com/#/notes/3056652	Permissions Required
af854a3a-2127-422b-91ae-364da2661108	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506	Vendor Advisory

Impacted products

Vendor	Product	Version
sap	netweaver_application_server_java	7.10
sap	netweaver_application_server_java	7.11
sap	netweaver_application_server_java	7.20
sap	netweaver_application_server_java	7.30
sap	netweaver_application_server_java	7.31
sap	netweaver_application_server_java	7.40
sap	netweaver_application_server_java	7.50

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "D60371A7-F8F4-46F8-9659-DD4EE84B81EA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "C6B085AF-8CEE-4A87-B381-F36C989FB2A0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.20:*:*:*:*:*:*:*",
              "matchCriteriaId": "43A28C48-4325-4694-88B1-FEE46EBFB0A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:*",
              "matchCriteriaId": "24A1E0B9-8C28-41BC-B050-237B5F929C9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.31:*:*:*:*:*:*:*",
              "matchCriteriaId": "EEAE6C2A-821F-4123-BD56-0FDADF9D63C8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*",
              "matchCriteriaId": "F5308FCE-8B2C-4B4D-BEE7-3CF544570B68",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*",
              "matchCriteriaId": "9C506445-3787-4BFF-A98B-7502A0F7CF80",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability."
    },
    {
      "lang": "es",
      "value": "SAP NetWeaver AS for Java (Http Service Monitoring Filter), versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, permite a un atacante enviar m\u00faltiples peticiones HTTP con diferentes tipos de m\u00e9todos, bloqueando as\u00ed el filtro y haciendo que el servidor HTTP no est\u00e9 disponible para otros usuarios leg\u00edtimos, conllevando a una vulnerabilidad denegaci\u00f3n de servicio"
    }
  ],
  "id": "CVE-2021-33670",
  "lastModified": "2024-11-21T06:09:19.560",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "cna@sap.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-07-14T12:15:08.243",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Patch",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/166965/SAP-NetWeaver-Java-Denial-Of-Service.html"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2022/May/4"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3056652"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/166965/SAP-NetWeaver-Java-Denial-Of-Service.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2022/May/4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/3056652"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2021-33670

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-33670

Aliases

CVE-2021-33670

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-33670",
    "description": "SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability.",
    "id": "GSD-2021-33670"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-33670"
      ],
      "details": "SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability.",
      "id": "GSD-2021-33670",
      "modified": "2023-12-13T01:23:18.960372Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@sap.com",
        "ID": "CVE-2021-33670",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "SAP NetWeaver AS for Java (Http Service)",
                    "version": {
                      "version_data": [
                        {
                          "version_name": "\u003c",
                          "version_value": "7.10"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "7.11"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "7.20"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "7.30"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "7.31"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "7.40"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "7.50"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "SAP SE"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability."
          }
        ]
      },
      "impact": {
        "cvss": {
          "baseScore": "7.5",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Denial of Service"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506",
            "refsource": "MISC",
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"
          },
          {
            "name": "https://launchpad.support.sap.com/#/notes/3056652",
            "refsource": "MISC",
            "url": "https://launchpad.support.sap.com/#/notes/3056652"
          },
          {
            "name": "20220504 Onapsis Security Advisory 2022-0002: Denial of Service in SAP NetWeaver JAVA",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2022/May/4"
          },
          {
            "name": "http://packetstormsecurity.com/files/166965/SAP-NetWeaver-Java-Denial-Of-Service.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/166965/SAP-NetWeaver-Java-Denial-Of-Service.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.20:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.31:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.11:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2021-33670"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"
            },
            {
              "name": "https://launchpad.support.sap.com/#/notes/3056652",
              "refsource": "MISC",
              "tags": [
                "Permissions Required"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3056652"
            },
            {
              "name": "20220504 Onapsis Security Advisory 2022-0002: Denial of Service in SAP NetWeaver JAVA",
              "refsource": "FULLDISC",
              "tags": [
                "Mailing List",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2022/May/4"
            },
            {
              "name": "http://packetstormsecurity.com/files/166965/SAP-NetWeaver-Java-Denial-Of-Service.html",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/166965/SAP-NetWeaver-Java-Denial-Of-Service.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-05-12T20:15Z",
      "publishedDate": "2021-07-14T12:15Z"
    }
  }
}

CERTFR-2021-AVI-523

Vulnerability from certfr_avis - Published: 2021-07-15 - Updated: 2021-07-15

De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, un contournement de la politique de sécurité et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP Process Integration (Enterprise Service Repository JAVA Mappings) versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50
SAP	N/A	SAP CRM versions 700, 701, 702, 712, 713, 714
SAP	N/A	SAP NetWeaver AS ABAP and ABAP Platform versions 700, 702, 730, 731, 804, 740, 750, 784, DEV
SAP	N/A	SAP 3D Visual Enterprise Viewer version 9.0
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS JAVA (Enterprise Portal) versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50
SAP	N/A	SAP NetWeaver AS for Java (Http Service) versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
SAP	N/A	SAP Business Client version 6.5
SAP	N/A	SAP NetWeaver AS ABAP (Reconciliation Framework) versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F
SAP	N/A	SAP Web Dispatcher and Internet Communication Manager versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83
SAP	N/A	SAP Lumira Server version 2.4
SAP	N/A	SAP NetWeaver Guided Procedures (Administration Workset) versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50
SAP	N/A	SAP Business Objects Web Intelligence (BI Launchpad) versions 420, 430
SAP	N/A	SAP NetWeaver AS ABAP and ABAP Platform versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.77, 7.81, 7.84
SAP	N/A	SAP NetWeaver AS ABAP and ABAP Platform versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS JAVA (Administrator applications) version 7.50

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-33670 (GCVE-0-2021-33670)

GHSA-CW5H-4QFV-QQR2

CNVD-2022-69288

FKIE_CVE-2021-33670

GSD-2021-33670

CERTFR-2021-AVI-523

Solution

Tags

Sightings

Nomenclature