CVE-2020-26816

CWE-312Cleartext Storage of Sensitive InfoCWE-3113 documents3 sources
Severity
4.5MEDIUM
EPSS
0.0%
top 94.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP Netweaver AS Java (key Storage Service)SAP Netweaver Application Server Java
Timeline
PublishedDec 9
Latest updateMay 24

Description

SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. This enables an attacker who has administrator access to the SAP NetWeaver AS Java to decode the keys because of missing encryption and get some application data and client credentials of adjacent systems. This highly impacts Confidentiality as informatio

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 0.9 | Impact: 3.6

Affected Packages2 packages

NVDsap/netweaver_application7 versions+6

🔴Vulnerability Details

2
GHSA
GHSA-m82p-m5vr-cmhm: SAP AS JAVA (Key Storage Service), versions - 72022-05-24
CVEList
CVE-2020-26816: SAP AS JAVA (Key Storage Service), versions - 72020-12-09
CVE-2020-26816 (MEDIUM CVSS 4.5) | SAP AS JAVA (Key Storage Service) | cvebase.io