CVE-2020-6287
Scores
EPSS Score
0.9439
CVSS
3.x 10.0
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
All CVSS Scores
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Description
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
Sources
CWEs
Related Vulnerabilities
Exploits
Exploit ID: CVE-2020-6287
Source: github-poc
URL: https://github.com/dylvie/CVE-2020-6287_SAP-NetWeaver-bypass-auth
Reference Links
Vulnerable Software
Type: Configuration
Vendor: sap
Product: netweaver_application_server_java
Operating System: * * *
{
"cpe_match": [
{
"cpe23uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"cpe23uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.31:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"cpe23uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"cpe23uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"operator": "OR"
}Source: nvd