Back to KEVs

CVE-2021-38163

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative...

Basic Information

CVE State
PUBLISHED
Reserved Date
August 07, 2021
Published Date
September 14, 2021
Last Updated
January 29, 2025
Vendor
SAP SE
Product
SAP NetWeaver (Visual Composer 7.0 RT)
Description
SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.

CVSS Scores

CVSS v3.1

9.9 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2022-06-09 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2022-09-10 03:41:52 UTC) Source

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405 https://launchpad.support.sap.com/#/notes/3084487

Known Exploited Vulnerability Information

Source Added Date
CISA 2022-06-09 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

core1impact/CVE-2021-38163

Type: github • Created: 2022-09-10 03:41:52 UTC • Stars: 3

CVE-2021-38163 - exploit for SAP Netveawer