PT-2021-17534 · Sap · Sap Netweaver As Java
Published
2021-04-13
·
Updated
2022-10-07
·
CVE-2021-27598
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
SAP NetWeaver AS JAVA versions 7.31, 7.40, 7.50
Description
The issue allows an attacker to read statistical data, including product version, traffic, and timestamp, due to a missing authorization check in the Customer Usage Provisioning Servlet.
Recommendations
For versions 7.31, 7.40, 7.50, consider restricting access to the Customer Usage Provisioning Servlet until a patch is available.
As a temporary workaround, consider implementing additional authorization checks for the servlet to minimize the risk of exploitation.
Fix
Improper Access Control
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Sap Netweaver As Java