Cyber Resilience

CVE-2021-33689

Medium

Published: 14 July 2021

Published
14 July 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0023 46.1th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-33689 is a medium-severity Insufficient Logging (CWE-778) vulnerability in Sap Netweaver Application Server Java. Its CVSS base score is 4.3 (Medium).

Operationally, ranked at the 46.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

When user with insufficient privileges tries to access any application in SAP NetWeaver Administrator (Administrator applications), version - 7.50, no security audit log is created. Therefore, security audit log Integrity is impacted.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sap
netweaver application server java
7.50

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-778

Audit policy requires defining and implementing logging of security-relevant events, directly reducing insufficient logging.

addresses: CWE-778

Providing proof of performed actions necessitates sufficient logging of security-relevant events with attribution details.

addresses: CWE-778

Retaining audit records for a defined period ensures security-relevant events remain available for after-the-fact investigations, directly mitigating the risk that attackers can hide actions due to missing or purged log data.

addresses: CWE-778

Directly requires generation of audit records for specified events, preventing the absence of logging that allows undetected malicious activity.

addresses: CWE-778

Directly implements detailed session logging to address the weakness of insufficient logging.

addresses: CWE-778

Provides alternate logging mechanism to maintain audit trails when primary capability fails, directly reducing insufficient logging.

addresses: CWE-778

Employing coordination mechanisms ensures consistent and sufficient logging practices are applied when audit information crosses organizational boundaries.

addresses: CWE-778

This control requires identifying, specifying, and justifying event types for logging with a focus on adequacy for post-incident investigations, directly mitigating insufficient logging.

References