CVE-2021-27617

CVSS 4.9 MEDIUMEPSS 0.8%

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.9EPSS 0.8%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

11 May 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Integration Builder Framework of SAP Process Integration versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document uploaded from local source. An attacker can craft a malicious XML which when uploaded and parsed by the application, could lead to Denial-of-service conditions due to consumption of a large amount of system memory, thus highly impacting system availability.

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Affected products

SAP SE · SAP Process Integration (Integration Builder Framework)

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://launchpad.support.sap.com/#/notes/3012021 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655