Advisory
A note with CVSS 6.1 for component EP-KM-CM was released by SAP on 10.08.2021. The correction/advisory 3076399 was described with "[CVE-2021-33707] URL Redirection vulnerability in SAP NetWeaver (Knowledge Management)" and affects the system type Java.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is url redirection vulnerability within Java.
Risk specification
SAP NetWeaver Knowledge Management allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via a URL stored in a component.Solution
The URL path is now properly validated to prevent this type of redirection vulnerability
Affected System
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- KMC-CM 7.30 6
- KMC-CM 7.31 6
- KMC-CM 7.40 6
- KMC-CM 7.50 6
- 6.5 [CVE-2023-23855] URL Redirection vulnerability in SAP Solution Manager
- 6.1 [CVE-2022-41275] Offener Redirect in SAP Solutions Manager (Enterprise Search)
- 6.1 Multiple Vulnerabilities in URI.js bundled with SAPUI5
- 6.1 [CVE-2022-41207] URL Redirection vulnerability in SAP Biller Direct
- 5.4 [CVE-2020-6266] URL redirection in SAP Fiori for SAP S/4HANA
