CVE-2020-6287

HIGH

Description

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.

References

http://packetstormsecurity.com/files/162085/SAP-JAVA-Configuration-Task-Execution.html

http://seclists.org/fulldisclosure/2021/Apr/6

https://launchpad.support.sap.com/#/notes/2934135

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

https://www.onapsis.com/recon-sap-cyber-security-vulnerability

Details

Source: MITRE

Published: 2020-07-14

Updated: 2021-04-06

Type: CWE-287

Risk Information

CVSS v2.0

Base Score: 10

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 10

Severity: HIGH

CVSS v3.0

Base Score: 10

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Impact Score: 6

Exploitability Score: 3.9

Severity: CRITICAL

Tenable Plugins

View all (2 total)

IDNameProductFamilySeverity
138762SAP NetWeaver : Authentication Bypass (CVE-2020-6287) (Direct Check)NessusWeb Servers
critical
138506SAP NetWeaver AS Java Multiple VulnerabilitiesNessusWeb Servers
critical