The two to the highest degree severe exposure in NetWeaver are treat in the almost crucial of the novel surety bulletin . The first gear is a denial of military service ( CVE-2021 - 33671 , CVSS tally of 7.6 ) , while the indorsement is a neglect permission stoppage ( CVE-2021 - 33671 , CVSS seduce of 7.6 ) . ( CVE-2021 - 33670 , CVSS nock of 7.5 ) . The offset exposure involve SAP NetWeaver Guided Procedures ( SAP GP ) , a constituent of the Composite Application Framework ( CAF ) that appropriate substance abuser to entree numerous backend arrangement found on their use . The escape mandate was notice in GP ’s central governing user interface , and it could effect in illegal data point entree and handling . The indorse fault live because HTTP call for are not adequately formalise when monitor data is save in SAP NetWeaver AS for Java ( Http Service ) . As a outcome , an attacker who can control HTTP asking can wipe out scheme resource , result in a demurrer of Robert William Service . SAP too let go nine newly protection line , one for a down in the mouth - severeness wiretap in NetWeaver AS for JAVA and another for a sensitive - severity hemipteron in CRM ABAP , NetWeaver AS ABAP and ABAP Platform , Lumira Server , Web Dispatcher and Internet Communication Manager , NetWeaver AS for Java ( Enterprise Portal ) , Business Objects vane Intelligence ( BI Launchpad ) , and three-D Visual Enterprise Viewer ( Administrator ) . In add-on , SAP update two Hot News security department take down : one for surety climb for the Chromium browser in SAP Business Client ( CVSS rack up 10 ) and another for an incorrect hallmark outlet in NetWeaver ABAP Server and ABAP Platform ( CVSS grudge of 9 ) that was number 1 break up in June 2021 . A one-third revised certificate Federal Reserve note in SAP Process Integration cover a sensitive harshness potential XML External Entity ( XXE ) consequence ( ESR Java Mappings ) .