CVE-2021-38163 — CRITICAL (9.9)

Vulnerability Description

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.

CVSS Score

9.9

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Sap	Netweaver	7.30

Related Weaknesses (CWE)

CWE-22

References

https://launchpad.support.sap.com/#/notes/3084487Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405Broken LinkVendor Advisory
https://launchpad.support.sap.com/#/notes/3084487Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405Broken LinkVendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-US Government Resource

FAQ

What is CVE-2021-38163?

CVE-2021-38163 is a vulnerability with a CVSS score of 9.9 (CRITICAL). SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and tri...

How severe is CVE-2021-38163?

CVE-2021-38163 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2021-38163?

Check the references section above for vendor advisories and patch information. Affected products include: Sap Netweaver.