Lucene search

SapCVE-2021-21485

HistoryApr 13, 2021 - 7:15 p.m.

CVE-2021-21485

2021-04-1319:15:13

sap

web.nvd.nist.gov

sap

netweaver

application server

java

ntlm hashes

unauthorized access

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

0.002

Percentile

53.4%

JSON

An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user.

Affected configurations

Nvd

Node

sapnetweaver_application_server_javaMatch7.10

sapnetweaver_application_server_javaMatch7.20

sapnetweaver_application_server_javaMatch7.30

sapnetweaver_application_server_javaMatch7.31

sapnetweaver_application_server_javaMatch7.40

sapnetweaver_application_server_javaMatch7.50

VendorProductVersionCPE
sapnetweaver_application_server_java7.10cpe:2.3:a:sap:netweaver_application_server_java:7.10:*:*:*:*:*:*:*
sapnetweaver_application_server_java7.20cpe:2.3:a:sap:netweaver_application_server_java:7.20:*:*:*:*:*:*:*
sapnetweaver_application_server_java7.30cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:*
sapnetweaver_application_server_java7.31cpe:2.3:a:sap:netweaver_application_server_java:7.31:*:*:*:*:*:*:*
sapnetweaver_application_server_java7.40cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*
sapnetweaver_application_server_java7.50cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sap	netweaver_application_server_java	7.10	cpe:2.3:a:sap:netweaver_application_server_java:7.10:::::::*
sap	netweaver_application_server_java	7.20	cpe:2.3:a:sap:netweaver_application_server_java:7.20:::::::*
sap	netweaver_application_server_java	7.30	cpe:2.3:a:sap:netweaver_application_server_java:7.30:::::::*
sap	netweaver_application_server_java	7.31	cpe:2.3:a:sap:netweaver_application_server_java:7.31:::::::*
sap	netweaver_application_server_java	7.40	cpe:2.3:a:sap:netweaver_application_server_java:7.40:::::::*
sap	netweaver_application_server_java	7.50	cpe:2.3:a:sap:netweaver_application_server_java:7.50:::::::*

CNA Affected

[
  {
    "product": "SAP NetWeaver AS for JAVA (Telnet Commands)",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "ENGINEAPI 7.30, 7.31, 7.40, 7.50"
      },
      {
        "status": "affected",
        "version": "ESP_FRAMEWORK 7.10, 7.20, 7.30, 7.31, 7.40, 7.50"
      },
      {
        "status": "affected",
        "version": "SERVERCORE 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50"
      },
      {
        "status": "affected",
        "version": "J2EE-FRMW 7.10, 7.20, 7.30, 7.31, 7.40, 7.50"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/3001824

wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649

Social References

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

0.002

Percentile

53.4%

JSON

Related for CVE-2021-21485