CVE-2020-6282Server-Side Request Forgery in SE SAP Netweaver AS Java

CWE-918Server-Side Request Forgery3 documents3 sources
Severity
5.8MEDIUMNVD
EPSS
0.1%
top 66.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP Netweaver AS JavaSAP Netweaver Application Server Java
Timeline
PublishedJul 14
Latest updateMay 24

Description

SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, and SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5sap_se/sap_netweaver_as_java< 7.10+6
NVDsap/netweaver_application7 versions+6

🔴Vulnerability Details

2
GHSA
GHSA-qphx-chwr-chm3: SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 72022-05-24
CVEList
CVE-2020-6282: SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 72020-07-14
CVE-2020-6282 — Server-Side Request Forgery | cvebase