Server-Side Request Forgery Vulnerability in SAP NetWeaver Development Infrastructure
CVE-2021-33690

9.9CRITICAL

Key Information:

Vendor: SAP
Status: SAP Netweaver Development Infrastructure (component Build Service)
Vendor: CVE Published:; 15 September 2021

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 92%

Summary

A Server-Side Request Forgery (SSRF) vulnerability exists in the SAP NetWeaver Development Infrastructure Component Build Service versions 7.11 through 7.50. This vulnerability allows an attacker with access to the server to exploit the service by sending specially crafted queries. Consequently, the attacker can execute proxy attacks that may lead to unauthorized access and compromise sensitive data stored on the server. The impact of this vulnerability can vary significantly depending on whether the SAP NetWeaver environment is deployed in an intranet or internet setting.

Affected Version(s)

SAP NetWeaver Development Infrastructure (Component Build Service) < 7.11 < 7.11

SAP NetWeaver Development Infrastructure (Component Build Service) < 7.20 < 7.20

SAP NetWeaver Development Infrastructure (Component Build Service) < 7.30 < 7.30

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-33690
Created by redrays-io

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_MISC

https://launchpad.support.sap.com/#/notes/3072955

x_refsource_MISC

EPSS Score

92% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

🟡
Public PoC available
Jun 1, 2023
👾
Exploit known to exist
Jun 1, 2023
Vulnerability published
Sep 15, 2021
Vulnerability Reserved
May 28, 2021