CVE-2021-33690

Name: CVE-2021-33690
Creator: NVD / NIST
Published: 2021-09-15T19:15:09.093+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.9/10EPSS 67.70%

Last modified Jun 17, 2026

CVE-2021-33690 is a critical-severity vulnerability rated 9.9/10 on the CVSS scale. Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of this vulnerability depends on whether SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or internet. EPSS estimates a 67.70% chance of exploitation in the next 30 days.

Description

Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of this vulnerability depends on whether SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or internet. The CVSS score reflects the impact considering the worst-case scenario that it runs on the internet.

Metrics

CVSS 3.1

9.9/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Probability

67.70%

99.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-918

Affected Software

Vendor	Product	Versions
Sap	Netweaver Development Infrastructure	7.11
Sap	Netweaver Development Infrastructure	7.20
Sap	Netweaver Development Infrastructure	7.30
Sap	Netweaver Development Infrastructure	7.31
Sap	Netweaver Development Infrastructure	7.40
Sap	Netweaver Development Infrastructure	7.50

References

https://launchpad.support.sap.com/#/notes/3072955Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806Patch, Vendor Advisory
https://launchpad.support.sap.com/#/notes/3072955Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806Patch, Vendor Advisory

Timeline

Published: Sep 15, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-33690?

How severe is CVE-2021-33690?

CVE-2021-33690 has a CVSS score of 9.9/10 (CRITICAL severity). The EPSS model estimates a 67.70% probability of exploitation in the next 30 days.

How do I fix CVE-2021-33690?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-33690?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST