CVE-2020-6287

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
sapCNA
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
VendorProductVersion
sapnetweaver_application_server_java
7.30
sapnetweaver_application_server_java
7.31
sapnetweaver_application_server_java
7.40
sapnetweaver_application_server_java
7.50
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/162085/SAP-JAVA-Configuration-Task-Execution.html
http://seclists.org/fulldisclosure/2021/Apr/6
https://launchpad.support.sap.com/#/notes/2934135
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
https://www.onapsis.com/recon-sap-cyber-security-vulnerability
http://packetstormsecurity.com/files/162085/SAP-JAVA-Configuration-Task-Execution.html
http://seclists.org/fulldisclosure/2021/Apr/6
https://launchpad.support.sap.com/#/notes/2934135
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
https://www.onapsis.com/recon-sap-cyber-security-vulnerability