Lucene search

[email protected]CVE-2020-6287

HistoryJul 14, 2020 - 1:15 p.m.

CVE-2020-6287

2020-07-1413:15:00

CWE-306

[email protected]

web.nvd.nist.gov

1011

In Wild

sap

netweaver

as java

cve-2020-6287

security vulnerability

authentication check

configuration tasks

nvd

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

AI Score

Confidence

High

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

JSON

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.

CPENameOperatorVersion
sap:netweaver_application_server_javasap netweaver application server javaeq7.30
sap:netweaver_application_server_javasap netweaver application server javaeq7.31
sap:netweaver_application_server_javasap netweaver application server javaeq7.40
sap:netweaver_application_server_javasap netweaver application server javaeq7.50

CPE	Name	Operator	Version
sap:netweaver_application_server_java	sap netweaver application server java	eq	7.30
sap:netweaver_application_server_java	sap netweaver application server java	eq	7.31
sap:netweaver_application_server_java	sap netweaver application server java	eq	7.40
sap:netweaver_application_server_java	sap netweaver application server java	eq	7.50