CVE-2021-44235
MEDIUMSAP NetWeaver AS ABAP 700-756 - Authenticated OS Command Injection via Transaction Class Builder
Title source: llmDescription
Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction class builder. This could allow execution of arbitrary commands on the operating system, that could highly impact the Confidentiality, Integrity and Availability of the system.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021
Permissions Required x_refsource_misc
https://launchpad.support.sap.com/#/notes/3123196
Scores
CVSS v3
6.7
EPSS
0.0012
EPSS Percentile
30.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (15)
sap/netweaver_application_server_abap
700
sap/netweaver_application_server_abap
701
sap/netweaver_application_server_abap
702
sap/netweaver_application_server_abap
710
sap/netweaver_application_server_abap
711
sap/netweaver_application_server_abap
730
sap/netweaver_application_server_abap
731
sap/netweaver_application_server_abap
740
sap/netweaver_application_server_abap
750
sap/netweaver_application_server_abap
751
... and 5 more
Published
Dec 14, 2021
Tracked Since
Feb 18, 2026