Lucene search

[email protected]NVD:CVE-2020-26832

HistoryDec 09, 2020 - 5:15 p.m.

CVE-2020-26832

2020-12-0917:15:31

CWE-862

[email protected]

web.nvd.nist.gov

sap

abap

s4 hana

privileged user

unauthorized access

system unavailability

rfc function module

missing authorization

sensitive information

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:P/I:N/A:C

CVSS3

7.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H

AI Score

7.3

Confidence

High

EPSS

0.014

Percentile

86.6%

JSON

SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.

Affected configurations

Nvd

Node

sapnetweaver_application_server_abapMatch2011_1_620

sapnetweaver_application_server_abapMatch2011_1_640

sapnetweaver_application_server_abapMatch2011_1_700

sapnetweaver_application_server_abapMatch2011_1_710

sapnetweaver_application_server_abapMatch2011_1_730

sapnetweaver_application_server_abapMatch2011_1_731

sapnetweaver_application_server_abapMatch2011_1_752

sapnetweaver_application_server_abapMatch2020

saps\/4_hanaMatch101

saps\/4_hanaMatch102

saps\/4_hanaMatch103

saps\/4_hanaMatch104

saps\/4_hanaMatch105

VendorProductVersionCPE
sapnetweaver_application_server_abap2011_1_620cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_620:*:*:*:*:*:*:*
sapnetweaver_application_server_abap2011_1_640cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_640:*:*:*:*:*:*:*
sapnetweaver_application_server_abap2011_1_700cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_700:*:*:*:*:*:*:*
sapnetweaver_application_server_abap2011_1_710cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_710:*:*:*:*:*:*:*
sapnetweaver_application_server_abap2011_1_730cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_730:*:*:*:*:*:*:*
sapnetweaver_application_server_abap2011_1_731cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_731:*:*:*:*:*:*:*
sapnetweaver_application_server_abap2011_1_752cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_752:*:*:*:*:*:*:*
sapnetweaver_application_server_abap2020cpe:2.3:a:sap:netweaver_application_server_abap:2020:*:*:*:*:*:*:*
saps\/4_hana101cpe:2.3:a:sap:s\/4_hana:101:*:*:*:*:*:*:*
saps\/4_hana102cpe:2.3:a:sap:s\/4_hana:102:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sap	netweaver_application_server_abap	2011_1_620	cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_620:::::::*
sap	netweaver_application_server_abap	2011_1_640	cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_640:::::::*
sap	netweaver_application_server_abap	2011_1_700	cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_700:::::::*
sap	netweaver_application_server_abap	2011_1_710	cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_710:::::::*
sap	netweaver_application_server_abap	2011_1_730	cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_730:::::::*
sap	netweaver_application_server_abap	2011_1_731	cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_731:::::::*
sap	netweaver_application_server_abap	2011_1_752	cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_752:::::::*
sap	netweaver_application_server_abap	2020	cpe:2.3:a:sap:netweaver_application_server_abap:2020:::::::*
sap	s\/4_hana	101	cpe:2.3:a:sap:s\/4_hana:101:::::::*
sap	s\/4_hana	102	cpe:2.3:a:sap:s\/4_hana:102:::::::*

Rows per page:

1-10 of 131

References

packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html

seclists.org/fulldisclosure/2022/May/42

launchpad.support.sap.com/#/notes/2993132

wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:P/I:N/A:C

CVSS3

7.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H

AI Score

7.3

Confidence

High

EPSS

0.014

Percentile

86.6%

JSON

Related for NVD:CVE-2020-26832

cve1 prion1 cvelist1 packetstorm1