SB2021081003 - Multiple vulnerabilities in SAP NetWeaver Development Infrastructure

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2021-33691)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the Notification Service in SAP NetWeaver Development Infrastructure. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2021-33690)

The disclosed vulnerability allows a remote user to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input in Component Build Service within SAP NetWeaver Development Infrastructure. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote user to compromise the affected system.

Remediation

Install update from vendor's website.

References

• https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806
• https://launchpad.support.sap.com/#/notes/3073450
• https://launchpad.support.sap.com/#/notes/3072955