CVE-2021-38163
Summary
| CVE | CVE-2021-38163 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-09-14 12:15:00 UTC |
| Updated | 2023-08-08 14:21:00 UTC |
| Description | SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable. |
Risk And Classification
EPSS: 0.847660000 probability, percentile 0.993340000 (date 2026-04-01)
CISA KEV: Listed on 2022-06-09; due 2022-06-30; ransomware use Unknown
Problem Types: CWE-22
CISA Known Exploited Vulnerability
| Vendor | SAP |
|---|---|
| Product | NetWeaver |
| Name | SAP NetWeaver Unrestricted File Upload Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2021-38163 |
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| launchpad.support.sap.com | MISC | launchpad.support.sap.com | |
| SAP Security Patch Day – September 2021 - Product Security Response at SAP - Community Wiki | MISC | wiki.scn.sap.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 87494 SAP NetWeaver AS File Upload Vulnerability