CVE-2020-26830 — Missing Authorization in SE SAP Solution Manager

CWE-862 — Missing Authorization3 documents3 sources

Severity

8.1HIGHNVD

EPSS

0.3%

top 51.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Solution Manager SAP Solution Manager

Timeline

PublishedDec 9

Latest updateMay 24

Description

SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, does not perform necessary authorization checks for an authenticated user. Due to inadequate access control, a network attacker authenticated as a regular user can use operations which should be restricted to administrators. These operations can be used to Change the User Experience Monitoring configuration, obtain details about the configured SAP Solution Manager agents, Deploy a malicious User Experience Monitoring script.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5sap_se/sap_solution_manager< 7.20

▶NVDsap/solution_manager7.20

🔴Vulnerability Details

GHSA

GHSA-jqj4-298c-3hhv: SAP Solution Manager 7↗2022-05-24

▶

CVEList

CVE-2020-26830: SAP Solution Manager 7↗2020-12-09

▶