CVE-2020-26829

Sažetak

SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication. As result, an unauthenticated attacker can invoke certain functions that would otherwise be restricted to system administrators only, including access to system administration functions or shutting down the system completely.

Reference

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079
https://launchpad.support.sap.com/#/notes/2974774
http://seclists.org/fulldisclosure/2021/Jun/33
http://packetstormsecurity.com/files/163166/SAP-Netweaver-JAVA-7.50-Missing-Authorization.html

CVSS

Base:	9.0
Impact:	8.5
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	COMPLETE

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:C

Zadnje važnije ažuriranje

21-07-2021 - 11:39

Objavljeno

09-12-2020 - 17:15