CVE-2020-6275

EPSS 0.46%
Veröffentlicht 10.06.2020 13:15:18
Zuletzt bearbeitet 21.11.2024 05:35:25
Quelle cna@sap.com
Teams Watchlist Login
Unerledigt Login

SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing malicious server names in the import/export of sessions functionality and coerce the web server into authenticating with the malicious server. Furthermore, if NTLM is setup the attacker can compromise confidentiality, integrity and availability of the SAP database.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

SAP ≫ Netweaver Application Server Abap Version700

SAP ≫ Netweaver Application Server Abap Version701

SAP ≫ Netweaver Application Server Abap Version702

SAP ≫ Netweaver Application Server Abap Version710

SAP ≫ Netweaver Application Server Abap Version711

SAP ≫ Netweaver Application Server Abap Version730

SAP ≫ Netweaver Application Server Abap Version731

SAP ≫ Netweaver Application Server Abap Version740

SAP ≫ Netweaver Application Server Abap Version750

SAP ≫ Netweaver Application Server Abap Version751

SAP ≫ Netweaver Application Server Abap Version752

SAP ≫ Netweaver Application Server Abap Version753

SAP ≫ Netweaver Application Server Abap Version754

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.46%	0.632

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P
cna@sap.com	7.6	1	6	CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775

Vendor Advisory

https://launchpad.support.sap.com/#/notes/2912939

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2020-6275

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-6275

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-6275

EUVD