CVE-2020-6287

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.

CVSS v3 10.0 CRITICAL
CVSS v2.0 10.0 HIGH

10.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

10.0^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://packetstormsecurity.com/files/162085/SAP-JAVA-Configuration-Task-Execution.html	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2021/Apr/6	Mailing List Third Party Advisory
https://launchpad.support.sap.com/#/notes/2934135	Permissions Required Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675	Vendor Advisory
https://www.onapsis.com/recon-sap-cyber-security-vulnerability	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:netweaver_application_server_java:7.30:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:7.31:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:7.40:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:7.50:::::::*

History

28 Apr 2022, 18:57

Type	Values Removed	Values Added
CWE	~~CWE-287~~	CWE-306
References	~~(MISC) http://packetstormsecurity.com/files/162085/SAP-JAVA-Configuration-Task-Execution.html -~~	(MISC) http://packetstormsecurity.com/files/162085/SAP-JAVA-Configuration-Task-Execution.html - Third Party Advisory, VDB Entry
References	~~(MISC) https://www.onapsis.com/recon-sap-cyber-security-vulnerability -~~	(MISC) https://www.onapsis.com/recon-sap-cyber-security-vulnerability - Third Party Advisory
References	~~(FULLDISC) http://seclists.org/fulldisclosure/2021/Apr/6 -~~	(FULLDISC) http://seclists.org/fulldisclosure/2021/Apr/6 - Mailing List, Third Party Advisory

06 Apr 2021, 16:15

Type	Values Removed	Values Added
References		(MISC) http://packetstormsecurity.com/files/162085/SAP-JAVA-Configuration-Task-Execution.html -

05 Apr 2021, 19:15

Type	Values Removed	Values Added
References		(FULLDISC) http://seclists.org/fulldisclosure/2021/Apr/6 -

Information

Published : 2020-07-14 13:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-6287

Mitre link : CVE-2020-6287

CVE.ORG link : CVE-2020-6287

JSON object : View

Products Affected

sap

netweaver_application_server_java

CWE

CWE-306

Missing Authentication for Critical Function

10.0 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

10.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

JSON object

Attach tags to CVE-2020-6287

10.0^/10

10.0^/10

Attach tags to `CVE-2020-6287`