CVE-2020-6263

2020-06-10T13:15:00

Description

Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not perform any authentication checks for operations that require user identity leading to Authentication Bypass.

Affected Software

CPE Name	Name	Version
sap:netweaver_application_server_java	sap netweaver application server java	7.00
sap:netweaver_application_server_java	sap netweaver application server java	7.01
sap:netweaver_application_server_java	sap netweaver application server java	7.02
sap:netweaver_application_server_java	sap netweaver application server java	7.05
sap:netweaver_application_server_java	sap netweaver application server java	7.10
sap:netweaver_application_server_java	sap netweaver application server java	7.11
sap:netweaver_application_server_java	sap netweaver application server java	7.20
sap:netweaver_application_server_java	sap netweaver application server java	7.30
sap:netweaver_application_server_java	sap netweaver application server java	7.31
sap:netweaver_application_server_java	sap netweaver application server java	7.40
sap:netweaver_application_server_java	sap netweaver application server java	7.50

{"id": "CVE-2020-6263", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-6263", "description": "Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not perform any authentication checks for operations that require user identity leading to Authentication Bypass.", "published": "2020-06-10T13:15:00", "modified": "2021-07-21T11:39:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6263", "reporter": "cna@sap.com", "references": ["https://launchpad.support.sap.com/#/notes/2878568", "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"], "cvelist": ["CVE-2020-6263"], "immutableFields": [], "lastseen": "2022-03-23T18:47:39", "viewCount": 15, "enchantments": {"dependencies": {}, "score": {"value": 4.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "talos", "idList": ["SAP"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "sap netweaver application server java", "version": 7}, {"name": "sap netweaver application server java", "version": 7}, {"name": "sap netweaver application server java", "version": 7}, {"name": "sap netweaver application server java", "version": 7}, {"name": "sap netweaver application server java", "version": 7}, {"name": "sap netweaver application server java", "version": 7}, {"name": "sap netweaver application server java", "version": 7}, {"name": "sap netweaver application server java", "version": 7}, {"name": "sap netweaver application server java", "version": 7}, {"name": "sap netweaver application server java", "version": 7}, {"name": "sap netweaver application server java", "version": 7}]}, "vulnersScore": 4.4}, "_state": {"dependencies": 1659878138, "score": 1659818015, "affected_software_major_version": 1671590614}, "_internal": {"score_hash": "35d087b50c6017cfff3cd61ad7c29925"}, "cna_cvss": {"cna": "SAP SE", "cvss": {"3": {"vector": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H", "score": 6.9}}}, "cpe": ["cpe:/a:sap:netweaver_application_server_java:7.02", "cpe:/a:sap:netweaver_application_server_java:7.10", "cpe:/a:sap:netweaver_application_server_java:7.00", "cpe:/a:sap:netweaver_application_server_java:7.11", "cpe:/a:sap:netweaver_application_server_java:7.20", "cpe:/a:sap:netweaver_application_server_java:7.30", "cpe:/a:sap:netweaver_application_server_java:7.40", "cpe:/a:sap:netweaver_application_server_java:7.50", "cpe:/a:sap:netweaver_application_server_java:7.01", "cpe:/a:sap:netweaver_application_server_java:7.05", "cpe:/a:sap:netweaver_application_server_java:7.31"], "cpe23": ["cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.02:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.00:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.20:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.05:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.31:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.11:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.10:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.01:*:*:*:*:*:*:*"], "cwe": ["CWE-306"], "affectedSoftware": [{"cpeName": "sap:netweaver_application_server_java", "version": "7.00", "operator": "eq", "name": "sap netweaver application server java"}, {"cpeName": "sap:netweaver_application_server_java", "version": "7.01", "operator": "eq", "name": "sap netweaver application server java"}, {"cpeName": "sap:netweaver_application_server_java", "version": "7.02", "operator": "eq", "name": "sap netweaver application server java"}, {"cpeName": "sap:netweaver_application_server_java", "version": "7.05", "operator": "eq", "name": "sap netweaver application server java"}, {"cpeName": "sap:netweaver_application_server_java", "version": "7.10", "operator": "eq", "name": "sap netweaver application server java"}, {"cpeName": "sap:netweaver_application_server_java", "version": "7.11", "operator": "eq", "name": "sap netweaver application server java"}, {"cpeName": "sap:netweaver_application_server_java", "version": "7.20", "operator": "eq", "name": "sap netweaver application server java"}, {"cpeName": "sap:netweaver_application_server_java", "version": "7.30", "operator": "eq", "name": "sap netweaver application server java"}, {"cpeName": "sap:netweaver_application_server_java", "version": "7.31", "operator": "eq", "name": "sap netweaver application server java"}, {"cpeName": "sap:netweaver_application_server_java", "version": "7.40", "operator": "eq", "name": "sap netweaver application server java"}, {"cpeName": "sap:netweaver_application_server_java", "version": "7.50", "operator": "eq", "name": "sap netweaver application server java"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.00:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.01:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.02:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.05:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.10:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.11:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.20:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.31:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://launchpad.support.sap.com/#/notes/2878568", "name": "https://launchpad.support.sap.com/#/notes/2878568", "refsource": "MISC", "tags": ["Permissions Required"]}, {"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775", "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775", "refsource": "MISC", "tags": ["Vendor Advisory"]}]}