// For flags

CVE-2021-33690

 

Severity Score

9.9
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of this vulnerability depends on whether SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or internet. The CVSS score reflects the impact considering the worst-case scenario that it runs on the internet.

Se ha detectado una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en SAP NetWeaver Development Infrastructure Component Build Service versiones - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, SAP NetWeaver Development Infrastructure Component Build Service permite a un actor de la amenaza que tenga acceso al servidor llevar a cabo ataques proxy en el servidor mediante el envío de consultas diseñadas. Debido a esto, el actor de la amenaza podría comprometer completamente los datos confidenciales que residen en el servidor e impactar en su disponibilidad. Nota: El impacto de esta vulnerabilidad depende de si SAP NetWeaver Development Infrastructure (NWDI) se ejecuta en la intranet o en Internet. La puntuación CVSS refleja el impacto considerando el peor de los casos en que se ejecuta en Internet

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-05-28 CVE Reserved
  • 2021-09-15 CVE Published
  • 2023-06-01 First Exploit
  • 2024-08-03 CVE Updated
  • 2024-11-16 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Sap
Search vendor "Sap"
Netweaver Development Infrastructure
Search vendor "Sap" for product "Netweaver Development Infrastructure"
7.11
Search vendor "Sap" for product "Netweaver Development Infrastructure" and version "7.11"
-
Affected
Sap
Search vendor "Sap"
Netweaver Development Infrastructure
Search vendor "Sap" for product "Netweaver Development Infrastructure"
7.20
Search vendor "Sap" for product "Netweaver Development Infrastructure" and version "7.20"
-
Affected
Sap
Search vendor "Sap"
Netweaver Development Infrastructure
Search vendor "Sap" for product "Netweaver Development Infrastructure"
7.30
Search vendor "Sap" for product "Netweaver Development Infrastructure" and version "7.30"
-
Affected
Sap
Search vendor "Sap"
Netweaver Development Infrastructure
Search vendor "Sap" for product "Netweaver Development Infrastructure"
7.31
Search vendor "Sap" for product "Netweaver Development Infrastructure" and version "7.31"
-
Affected
Sap
Search vendor "Sap"
Netweaver Development Infrastructure
Search vendor "Sap" for product "Netweaver Development Infrastructure"
7.40
Search vendor "Sap" for product "Netweaver Development Infrastructure" and version "7.40"
-
Affected
Sap
Search vendor "Sap"
Netweaver Development Infrastructure
Search vendor "Sap" for product "Netweaver Development Infrastructure"
7.50
Search vendor "Sap" for product "Netweaver Development Infrastructure" and version "7.50"
-
Affected