CVE-2021-40495 - Vulnerability Details

Vendors	Products
Sap	Netweaver Abap Netweaver Application Server Abap

Link	Providers
https://launchpad.support.sap.com/#/notes/3099011
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "SAP NetWeaver AS ABAP and ABAP Platform", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 740"}, {"status": "affected", "version": "< 750"}, {"status": "affected", "version": "< 751"}, {"status": "affected", "version": "< 752"}, {"status": "affected", "version": "< 753"}, {"status": "affected", "version": "< 754"}, {"status": "affected", "version": "< 755"}]}], "descriptions": [{"lang": "en", "value": "There are multiple Denial-of Service vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755. An unauthorized attacker can use the public SICF service /sap/public/bc/abap to reduce the performance of SAP NetWeaver Application Server ABAP and ABAP Platform."}], "problemTypes": [{"descriptions": [{"description": "Denial of Service", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-12T14:03:19", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/3099011"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2021-40495", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP NetWeaver AS ABAP and ABAP Platform", "version": {"version_data": [{"version_name": "<", "version_value": "740"}, {"version_name": "<", "version_value": "750"}, {"version_name": "<", "version_value": "751"}, {"version_name": "<", "version_value": "752"}, {"version_name": "<", "version_value": "753"}, {"version_name": "<", "version_value": "754"}, {"version_name": "<", "version_value": "755"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "There are multiple Denial-of Service vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755. An unauthorized attacker can use the public SICF service /sap/public/bc/abap to reduce the performance of SAP NetWeaver Application Server ABAP and ABAP Platform."}]}, "impact": {"cvss": {"baseScore": "null", "vectorString": "null", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Denial of Service"}]}]}, "references": {"reference_data": [{"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", "refsource": "MISC", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983"}, {"name": "https://launchpad.support.sap.com/#/notes/3099011", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/3099011"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:44:10.857Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/3099011"}]}]}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2021-40495", "datePublished": "2021-10-12T14:03:19", "dateReserved": "2021-09-03T00:00:00", "dateUpdated": "2024-08-04T02:44:10.857Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : SAP NetWeaver AS ABAP and ABAP Platform (string)

vendor : SAP SE (string)

versions : [ »

0 : { »

status : affected (string)

version : < 740 (string)

}

1 : { »

status : affected (string)

version : < 750 (string)

}

2 : { »

status : affected (string)

version : < 751 (string)

}

3 : { »

status : affected (string)

version : < 752 (string)

}

4 : { »

status : affected (string)

version : < 753 (string)

}

5 : { »

status : affected (string)

version : < 754 (string)

}

6 : { »

status : affected (string)

version : < 755 (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : There are multiple Denial-of Service vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755. An unauthorized attacker can use the public SICF service /sap/public/bc/abap to reduce the performance of SAP NetWeaver Application Server ABAP and ABAP Platform. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : Denial of Service (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2021-10-12T14:03:19 (string)

orgId : e4686d1a-f260-4930-ac4c-2f5c992778dd (string)

shortName : sap (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://launchpad.support.sap.com/#/notes/3099011 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : cna@sap.com (string)

ID : CVE-2021-40495 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : SAP NetWeaver AS ABAP and ABAP Platform (string)

version : { »

version_data : [ »

0 : { »

version_name : < (string)

version_value : 740 (string)

}

1 : { »

version_name : < (string)

version_value : 750 (string)

}

2 : { »

version_name : < (string)

version_value : 751 (string)

}

3 : { »

version_name : < (string)

version_value : 752 (string)

}

4 : { »

version_name : < (string)

version_value : 753 (string)

}

5 : { »

version_name : < (string)

version_value : 754 (string)

}

6 : { »

version_name : < (string)

version_value : 755 (string)

}

]

}

]

}

vendor_name : SAP SE (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : There are multiple Denial-of Service vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755. An unauthorized attacker can use the public SICF service /sap/public/bc/abap to reduce the performance of SAP NetWeaver Application Server ABAP and ABAP Platform. (string)

}

]

}

impact : { »

cvss : { »

baseScore : null (string)

vectorString : null (string)

version : 3.0 (string)

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : Denial of Service (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 (string)

refsource : MISC (string)

url : https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 (string)

}

1 : { »

name : https://launchpad.support.sap.com/#/notes/3099011 (string)

refsource : MISC (string)

url : https://launchpad.support.sap.com/#/notes/3099011 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-04T02:44:10.857Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://launchpad.support.sap.com/#/notes/3099011 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : e4686d1a-f260-4930-ac4c-2f5c992778dd (string)

assignerShortName : sap (string)

cveId : CVE-2021-40495 (string)

datePublished : 2021-10-12T14:03:19 (string)

dateReserved : 2021-09-03T00:00:00 (string)

dateUpdated : 2024-08-04T02:44:10.857Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_abap:740:*:*:*:*:*:*:*", "matchCriteriaId": "09A38B6E-03DC-4086-A307-542B35814E0E", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_abap:750:*:*:*:*:*:*:*", "matchCriteriaId": "4651257F-7BFC-41AE-8E37-8C96F822CE58", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_abap:751:*:*:*:*:*:*:*", "matchCriteriaId": "EECB438D-D5CD-4483-934F-4C814A725A35", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_abap:752:*:*:*:*:*:*:*", "matchCriteriaId": "14A1CD95-14E1-438A-92FB-A0E47A88C59F", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_abap:753:*:*:*:*:*:*:*", "matchCriteriaId": "4148303B-133A-4FD2-B546-DD86C5D0E7C1", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_abap:754:*:*:*:*:*:*:*", "matchCriteriaId": "E51EF6BC-4C1C-4F1B-9873-D571BE3788F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_abap:755:*:*:*:*:*:*:*", "matchCriteriaId": "424A3D68-0825-4A2C-BEB1-DC9A212A5E42", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", "matchCriteriaId": "127E508F-6CC1-41C8-96DF-8D14FFDD4020", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", "matchCriteriaId": "7777AA80-1608-420E-B7D5-09ABECD51728", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", "matchCriteriaId": "0539618A-1C4D-463F-B2BB-DD1C239C23EB", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", "matchCriteriaId": "62828DCD-F80E-4C7C-A988-EFEA06A5223E", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", "matchCriteriaId": "D9F38585-73AE-4DBB-A978-F0272DF8FB58", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", "matchCriteriaId": "D416C064-BB8A-4230-A761-84A93E017F79", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", "matchCriteriaId": "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "There are multiple Denial-of Service vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755. An unauthorized attacker can use the public SICF service /sap/public/bc/abap to reduce the performance of SAP NetWeaver Application Server ABAP and ABAP Platform."}, {"lang": "es", "value": "Se presentan m\u00faltiples vulnerabilidades de denegaci\u00f3n de servicio en SAP NetWeaver Application Server for ABAP y ABAP Platform - versiones 740, 750, 751, 752, 753, 754, 755. Un atacante no autorizado puede usar el servicio p\u00fablico SICF /sap/public/bc/abap para reducir el rendimiento de SAP NetWeaver Application Server ABAP y ABAP Platform"}], "id": "CVE-2021-40495", "lastModified": "2024-11-21T06:24:15.617", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-12T15:15:09.127", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/3099011"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/3099011"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:sap:netweaver_abap:740:*:*:*:*:*:*:* (string)

matchCriteriaId : 09A38B6E-03DC-4086-A307-542B35814E0E (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:sap:netweaver_abap:750:*:*:*:*:*:*:* (string)

matchCriteriaId : 4651257F-7BFC-41AE-8E37-8C96F822CE58 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:sap:netweaver_abap:751:*:*:*:*:*:*:* (string)

matchCriteriaId : EECB438D-D5CD-4483-934F-4C814A725A35 (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:sap:netweaver_abap:752:*:*:*:*:*:*:* (string)

matchCriteriaId : 14A1CD95-14E1-438A-92FB-A0E47A88C59F (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:sap:netweaver_abap:753:*:*:*:*:*:*:* (string)

matchCriteriaId : 4148303B-133A-4FD2-B546-DD86C5D0E7C1 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:sap:netweaver_abap:754:*:*:*:*:*:*:* (string)

matchCriteriaId : E51EF6BC-4C1C-4F1B-9873-D571BE3788F5 (string)

vulnerable : true (boolean)

}

6 : { »

criteria : cpe:2.3:a:sap:netweaver_abap:755:*:*:*:*:*:*:* (string)

matchCriteriaId : 424A3D68-0825-4A2C-BEB1-DC9A212A5E42 (string)

vulnerable : true (boolean)

}

7 : { »

criteria : cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:* (string)

matchCriteriaId : 127E508F-6CC1-41C8-96DF-8D14FFDD4020 (string)

vulnerable : true (boolean)

}

8 : { »

criteria : cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:* (string)

matchCriteriaId : 7777AA80-1608-420E-B7D5-09ABECD51728 (string)

vulnerable : true (boolean)

}

9 : { »

criteria : cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:* (string)

matchCriteriaId : 0539618A-1C4D-463F-B2BB-DD1C239C23EB (string)

vulnerable : true (boolean)

}

10 : { »

criteria : cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:* (string)

matchCriteriaId : 62828DCD-F80E-4C7C-A988-EFEA06A5223E (string)

vulnerable : true (boolean)

}

11 : { »

criteria : cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:* (string)

matchCriteriaId : D9F38585-73AE-4DBB-A978-F0272DF8FB58 (string)

vulnerable : true (boolean)

}

12 : { »

criteria : cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:* (string)

matchCriteriaId : D416C064-BB8A-4230-A761-84A93E017F79 (string)

vulnerable : true (boolean)

}

13 : { »

criteria : cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:* (string)

matchCriteriaId : 6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : There are multiple Denial-of Service vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755. An unauthorized attacker can use the public SICF service /sap/public/bc/abap to reduce the performance of SAP NetWeaver Application Server ABAP and ABAP Platform. (string)

}

1 : { »

lang : es (string)

value : Se presentan múltiples vulnerabilidades de denegación de servicio en SAP NetWeaver Application Server for ABAP y ABAP Platform - versiones 740, 750, 751, 752, 753, 754, 755. Un atacante no autorizado puede usar el servicio público SICF /sap/public/bc/abap para reducir el rendimiento de SAP NetWeaver Application Server ABAP y ABAP Platform (string)

}

]

id : CVE-2021-40495 (string)

lastModified : 2024-11-21T06:24:15.617 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : PARTIAL (string)

baseScore : 5 (number)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

vectorString : AV:N/AC:L/Au:N/C:N/I:N/A:P (string)

version : 2.0 (string)

}

exploitabilityScore : 10 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : LOW (string)

baseScore : 5.3 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 1.4 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2021-10-12T15:15:09.127 (string)

references : [ »

0 : { »

source : cna@sap.com (string)

tags : [ »

0 : Permissions Required (string)

]

url : https://launchpad.support.sap.com/#/notes/3099011 (string)

}

1 : { »

source : cna@sap.com (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 (string)

}

2 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Permissions Required (string)

]

url : https://launchpad.support.sap.com/#/notes/3099011 (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 (string)

}

]

sourceIdentifier : cna@sap.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : NVD-CWE-noinfo (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object