CVE-2020-6364

SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an attacker to modify a cookie in a way that OS commands can be executed and potentially gain control over the host running the CA Introscope Enterprise Manager,leading to Code Injection. With this, the attacker is able to read and modify all system files and also impact system availability.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
sapCNA
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 96%
VendorProductVersion
sapintroscope_enterprise_manager
9.7
sapintroscope_enterprise_manager
10.1
sapintroscope_enterprise_manager
10.5
sapintroscope_enterprise_manager
10.7
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/163153/SAP-Wily-Introscope-Enterprise-OS-Command-Injection.html
http://seclists.org/fulldisclosure/2021/Jun/28
https://launchpad.support.sap.com/#/notes/2969828
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
http://packetstormsecurity.com/files/163153/SAP-Wily-Introscope-Enterprise-OS-Command-Injection.html
http://seclists.org/fulldisclosure/2021/Jun/28
https://launchpad.support.sap.com/#/notes/2969828
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196