CVE-2020-26809 — Incorrect Default Permissions in SE SAP Commerce Cloud

CWE-276 — Incorrect Default Permissions3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 50.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Commerce Cloud SAP Commerce Cloud

Timeline

PublishedNov 10

Latest updateMay 24

Description

SAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the '/medias' endpoint hence gaining access to Secure Media folders. This folder could contain sensitive files that results in disclosure of sensitive information and impact system configuration confidentiality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5sap_se/sap_commerce_cloud< 1808+3

▶NVDsap/commerce_cloud4 versions+3

🔴Vulnerability Details

GHSA

GHSA-62q9-rf2f-c4rj: SAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the '/medias' endpoi↗2022-05-24

▶

CVEList

CVE-2020-26809: SAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the '/medias' endpoi↗2020-11-10

▶