CVE-2020-6275Server-Side Request Forgery in SE SAP Netweaver AS Abap

CWE-918Server-Side Request Forgery3 documents3 sources
Severity
9.8CRITICALNVD
EPSS
0.5%
top 35.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP Netweaver AS AbapSAP Netweaver Application Server Abap
Timeline
PublishedJun 10
Latest updateMay 24

Description

SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing malicious server names in the import/export of sessions functionality and coerce the web server into authenticating with the malicious server. Furthermore, if NTLM is setup the attacker can compromise confidentiality, integrity and availability of the SAP database.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5sap_se/sap_netweaver_as_abap< 700+12
NVDsap/netweaver_application13 versions+12

🔴Vulnerability Details

2
GHSA
GHSA-m3x5-x584-4rhh: SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack2022-05-24
CVEList
CVE-2020-6275: SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack2020-06-10
CVE-2020-6275 — Server-Side Request Forgery | cvebase