10
CVE-2020-6287
- EPSS 94.4%
- Published 14.07.2020 13:15:13
- Last modified 13.03.2025 17:28:24
- Source cna@sap.com
- Teams watchlist Login
- Open Login
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
Data is provided by the National Vulnerability Database (NVD)
SAP ≫ Netweaver Application Server Java Version7.30
SAP ≫ Netweaver Application Server Java Version7.31
SAP ≫ Netweaver Application Server Java Version7.40
SAP ≫ Netweaver Application Server Java Version7.50
03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog
SAP NetWeaver Missing Authentication for Critical Function Vulnerability
VulnerabilitySAP NetWeaver Application Server Java Platforms contains a missing authentication for critical function vulnerability allowing unauthenticated access to execute configuration tasks and create administrative users.
DescriptionApply updates per vendor instructions.
Required actions| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.4% | 0.999 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 10 | 3.9 | 6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
| nvd@nist.gov | 10 | 10 | 10 |
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
| cna@sap.com | 10 | 3.9 | 6 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
CWE-306 Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.