Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-6318

A Remote Code Execution vulnerability exists in the SAP NetWeaver (ABAP Server, up to release 7.40) and ABAP Platform (> release 7.40).Because of this, an attacker can exploit these products via Code Injection, and potentially enabling to take complete control of the products, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It can also be used to cause a general fault in the product, causing the products to terminate.

Published

2020-09-09T13:15:12.020

Last Modified

2024-11-21T05:35:29.977

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.2 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-94

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	sap	abap_platform	700	Yes
Application	sap	abap_platform	701	Yes
Application	sap	abap_platform	702	Yes
Application	sap	abap_platform	710	Yes
Application	sap	abap_platform	711	Yes
Application	sap	abap_platform	730	Yes
Application	sap	abap_platform	731	Yes
Application	sap	abap_platform	740	Yes
Application	sap	abap_platform	750	Yes
Application	sap	abap_platform	751	Yes
Application	sap	abap_platform	753	Yes
Application	sap	abap_platform	754	Yes
Application	sap	abap_platform	755	Yes

References

http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html Exploit, Third Party Advisory, VDB Entry ([email protected])
http://seclists.org/fulldisclosure/2022/May/42 Exploit, Mailing List, Third Party Advisory ([email protected])
https://launchpad.support.sap.com/#/notes/2958563 Permissions Required ([email protected])
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700 Vendor Advisory ([email protected])
http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html Exploit, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2022/May/42 Exploit, Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://launchpad.support.sap.com/#/notes/2958563 Permissions Required (af854a3a-2127-422b-91ae-364da2661108)
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)