CVE-2021-27635

Name of the Vulnerable Software and Affected Versions SAP NetWeaver AS for JAVA versions 7.20, 7.30, 7.31, 7.40, 7.50

Description The issue allows an attacker, authenticated as an administrator, to submit a specially crafted XML file due to missing XML validation. This enables the attacker to fully compromise confidentiality by reading any file on the filesystem or fully compromise availability by causing the system to crash. However, the attack cannot be used to change any data, so there is no compromise of integrity.

Recommendations For SAP NetWeaver AS for JAVA versions 7.20, 7.30, 7.31, 7.40, 7.50, consider implementing proper XML validation to prevent the submission of specially crafted XML files. As a temporary workaround, restrict access to the XML file submission feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.