CVE-2020-26829

CWE-306Missing AuthenticationCWE-287Improper Authentication3 documents3 sources
Severity
10.0CRITICAL
EPSS
3.9%
top 11.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP Netweaver AS Java (p2p Cluster Communication)SAP Netweaver Application Server Java
Timeline
PublishedDec 9
Latest updateMay 24

Description

SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication. As result, an unauthenticated attacker can invoke certain functions that would otherwise be restricted to system administrators only, including access to system administration functions or shutting dow

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages2 packages

NVDsap/netweaver_application6 versions+5

🔴Vulnerability Details

2
GHSA
GHSA-9fv2-mhpr-vp74: SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 72022-05-24
CVEList
CVE-2020-26829: SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 72020-12-09
CVE-2020-26829 (CRITICAL CVSS 10) | SAP NetWeaver AS JAVA (P2P Cluster | cvebase.io