Server-Side Request Forgery in SAP NetWeaver Portal's Iviews Editor
CVE-2021-33705

8.1HIGH

Key Information:

Vendor

SAP
Status
SAP Netweaver Enterprise Portal
Vendor
CVE Published:
15 September 2021

What is CVE-2021-33705?

The SAP NetWeaver Portal Iviews Editor component is susceptible to a Server-Side Request Forgery (SSRF) vulnerability. This allows unauthenticated attackers to craft malicious URLs that, when accessed by a user, can initiate requests to any internal or external server. This exploitation could lead to unauthorized access or modification of data linked to the Portal, although it does not compromise the system's availability.

Affected Version(s)

SAP NetWeaver Enterprise Portal < 7.10 < 7.10

SAP NetWeaver Enterprise Portal < 7.11 < 7.11

SAP NetWeaver Enterprise Portal < 7.20 < 7.20

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...
x_refsource_MISC
https://launchpad.support.sap.com/#/notes/3074844
x_refsource_MISC
http://seclists.org/fulldisclosure/2022/Jan/72
mailing-listx_refsource_FULLDISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.