Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-6287

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.

Published

2020-07-14T13:15:13.000

Last Modified

2025-03-13T17:28:24.450

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 10.0 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

10.0

Impact Score

10.0

Weaknesses

Type: Primary
CWE-306
Type: Secondary
CWE-306

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	sap	netweaver_application_server_java	7.30	Yes
Application	sap	netweaver_application_server_java	7.31	Yes
Application	sap	netweaver_application_server_java	7.40	Yes
Application	sap	netweaver_application_server_java	7.50	Yes

References

http://packetstormsecurity.com/files/162085/SAP-JAVA-Configuration-Task-Execution.html Third Party Advisory, VDB Entry ([email protected])
http://seclists.org/fulldisclosure/2021/Apr/6 Mailing List, Third Party Advisory ([email protected])
https://launchpad.support.sap.com/#/notes/2934135 Permissions Required, Vendor Advisory ([email protected])
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675 Vendor Advisory ([email protected])
https://www.onapsis.com/recon-sap-cyber-security-vulnerability Third Party Advisory ([email protected])
http://packetstormsecurity.com/files/162085/SAP-JAVA-Configuration-Task-Execution.html Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2021/Apr/6 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://launchpad.support.sap.com/#/notes/2934135 Permissions Required, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.onapsis.com/recon-sap-cyber-security-vulnerability Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)