CVE-2020-26834

CWE-287 — Improper Authentication3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.2%

top 63.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Hana Database SAP Hana Database

Timeline

PublishedDec 9

Latest updateMay 24

Description

SAP HANA Database, version - 2.0, does not correctly validate the username when performing SAML bearer token-based user authentication. It is possible to manipulate a valid existing SAML bearer token to authenticate as a user whose name is identical to the truncated username for whom the SAML bearer token was issued.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5sap_se/sap_hana_database< 2.0

▶NVDsap/hana_database2.00

🔴Vulnerability Details

GHSA

GHSA-xwh3-6m65-fmmj: SAP HANA Database, version - 2↗2022-05-24

▶

CVEList

CVE-2020-26834: SAP HANA Database, version - 2↗2020-12-09

▶