CVE-2020-26830

09.12.2020, 17:15

SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, does not perform necessary authorization checks for an authenticated user. Due to inadequate access control, a network attacker authenticated as a regular user can use operations which should be restricted to administrators. These operations can be used to Change the User Experience Monitoring configuration, obtain details about the configured SAP Solution Manager agents, Deploy a malicious User Experience Monitoring script.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.1 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
sap	CNA	7.6 HIGH	NETWORK	LOW	LOW	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 48%

Vendor	Product	Version
sap	solution_manager	7.20

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-862 - Missing Authorization
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

http://packetstormsecurity.com/files/163161/SAP-Solution-Manager-7.2-Missing-Authorization.html

http://seclists.org/fulldisclosure/2021/Jun/29

https://launchpad.support.sap.com/#/notes/2983204

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079

http://packetstormsecurity.com/files/163161/SAP-Solution-Manager-7.2-Missing-Authorization.html

http://seclists.org/fulldisclosure/2021/Jun/29

https://launchpad.support.sap.com/#/notes/2983204

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079