Skip to main content

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CVE-2021-33678

Severity Medium
Score 6.5/10

Summary

A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged attacker to inject code that can be executed by the application. An attacker could thereby delete some critical information and could make the SAP system completely unavailable.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • HIGH
  • NONE
  • HIGH

CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

References

Advisory Timeline

  • Published