CVE-2020-26818Missing Authorization in SE SAP Netweaver AS Abap

CWE-862Missing AuthorizationCWE-200Sensitive Information Exposure3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.3%
top 50.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP Netweaver AS AbapSAP Netweaver Application Server Abap
Timeline
PublishedNov 10
Latest updateMay 24

Description

SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, which reveals sensitive system information that would otherwise be restricted to highly privileged users because of missing authorization, resulting in Information Disclosure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5sap_se/sap_netweaver_as_abap< 731+8
NVDsap/netweaver_application9 versions+8

🔴Vulnerability Details

2
GHSA
GHSA-67fv-h3m9-7p8h: SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro componen2022-05-24
CVEList
CVE-2020-26818: SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro componen2020-11-10
CVE-2020-26818 — Missing Authorization | cvebase