CVE-2020-6263

CWE-306Missing AuthenticationCWE-287Improper Authentication3 documents3 sources
Severity
9.8CRITICAL
EPSS
0.2%
top 54.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP Netweaver AS JavaSAP Netweaver Application Server Java
Timeline
PublishedJun 10
Latest updateMay 24

Description

Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not perform any authentication checks for operations that require user identity leading to Authentication Bypass.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5sap_se/sap_netweaver_as_java< SAP-JEECOR 7.00+12
NVDsap/netweaver_application11 versions+10

🔴Vulnerability Details

2
GHSA
GHSA-pvvr-7qqm-3prh: Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 72022-05-24
CVEList
CVE-2020-6263: Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 72020-06-10
CVE-2020-6263 (CRITICAL CVSS 9.8) | Standalone clients connecting to SA | cvebase.io