Vulnerabilities > SAP > High

DATE CVE VULNERABILITY TITLE RISK
2021-09-14 CVE-2021-38163 Path Traversal vulnerability in SAP Netweaver
SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process.
network
low complexity
sap CWE-22
8.8
2021-09-14 CVE-2021-38176 SQL Injection vulnerability in SAP products
Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database.
network
low complexity
sap CWE-89
8.8
2021-09-14 CVE-2021-38177 NULL Pointer Dereference vulnerability in SAP Commoncryptolib 8.0.0/8.4.29/8.5.38
SAP CommonCryptoLib version 8.5.38 or lower is vulnerable to null pointer dereference vulnerability when an unauthenticated attacker sends crafted malicious data in the HTTP requests over the network, this causes the SAP application to crash and has high impact on the availability of the SAP system.
network
low complexity
sap CWE-476
7.5
2021-08-09 CVE-2015-2073 Path Traversal vulnerability in SAP Businessobjects Edge 4.0
The File RepositoRy Server (FRS) CORBA listener in SAP BussinessObjects Edge 4.0 allows remote attackers to read arbitrary files via a full pathname, aka SAP Note 2018682.
network
low complexity
sap CWE-22
7.5
2021-08-09 CVE-2015-2074 Path Traversal vulnerability in SAP Businessobjects Edge 4.0
The File Repository Server (FRS) CORBA listener in SAP BussinessObjects Edge 4.0 allows remote attackers to write to arbitrary files via a full pathname, aka SAP Note 2018681.
network
low complexity
sap CWE-22
7.5
2021-07-14 CVE-2021-33670 Unspecified vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability.
network
low complexity
sap
7.5
2021-07-14 CVE-2021-33671 Missing Authorization vulnerability in SAP Netweaver Guided Procedures
SAP NetWeaver Guided Procedures (Administration Workset), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
network
low complexity
sap CWE-862
8.8
2021-07-14 CVE-2021-33676 Missing Authorization vulnerability in SAP Customer Relationship Management
A missing authority check in SAP CRM, versions - 700, 701, 702, 712, 713, 714, could be leveraged by an attacker with high privileges to compromise confidentiality, integrity, or availability of the system.
network
low complexity
sap CWE-862
7.2
2021-07-14 CVE-2021-33677 Unspecified vulnerability in SAP Netweaver Abap and Netweaver Application Server Abap
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 702, 730, 731, 804, 740, 750, 784, expose functions to external which can lead to information disclosure.
network
low complexity
sap
7.5
2021-06-09 CVE-2021-27597 Out-of-bounds Read vulnerability in SAP Netweaver Abap
SAP NetWeaver AS for ABAP (RFC Gateway), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method memmove() causing the system to crash and rendering it unavailable.
network
low complexity
sap CWE-125
7.5