10

CVE-2020-6287

Warnung
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

SAP NetWeaver Missing Authentication for Critical Function Vulnerability

Schwachstelle

SAP NetWeaver Application Server Java Platforms contains a missing authentication for critical function vulnerability allowing unauthenticated access to execute configuration tasks and create administrative users.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 94.72% 0.998
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 10 3.9 6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov 10 10 10
AV:N/AC:L/Au:N/C:C/I:C/A:C
cna@sap.com 10 3.9 6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
Vendor Advisory
Broken Link
https://launchpad.support.sap.com/#/notes/2934135
Vendor Advisory
Permissions Required
http://packetstormsecurity.com/files/162085/SAP-JAVA-Configuration-Task-Execution.html
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2021/Apr/6
Third Party Advisory
Mailing List
https://www.onapsis.com/recon-sap-cyber-security-vulnerability
Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-6287
US Government Resource