PT-2021-14558 · Sap · Sap Netweaver Application Server Java

Igor Souza

Published

2021-04-13

Updated

2021-04-20

CVE-2021-21492

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions SAP NetWeaver Application Server Java (HTTP Service) versions 7.10 through 7.50

Description The issue arises from insufficient validation of logon groups in URLs, leading to a content spoofing issue when directory listing is enabled.

Recommendations For versions 7.10 through 7.50, consider disabling directory listing to minimize the risk of exploitation. As a temporary workaround, restrict access to the HTTP Service until a patch is available.

Fix

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-290

Related Identifiers

CVE-2021-21492

Affected Products

Sap Netweaver Application Server Java

PT-2021-14558 · Sap · Sap Netweaver Application Server Java

CVE-2021-21492

Weakness Enumeration

Related Identifiers

Affected Products

References · 4