ByteOS Network

Vulnerability Details :

CVE-2020-26832

Assigner-sap

Assigner Org ID-e4686d1a-f260-4930-ac4c-2f5c992778dd

Published At-09 Dec, 2020 | 16:31

Updated At-04 Aug, 2024 | 16:03

SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:sap

Assigner Org ID:e4686d1a-f260-4930-ac4c-2f5c992778dd

Published At:09 Dec, 2020 | 16:31

Updated At:04 Aug, 2024 | 16:03

▼CVE Numbering Authority (CNA)

Affected Products

Vendor

SAP SE

Product

SAP NetWeaver AS ABAP (SAP Landscape Transformation)

Versions

Affected

< 2011_1_620
< 2011_1_640
< 2011_1_700
< 2011_1_710
< 2011_1_730
< 2011_1_731
< 2011_1_752
< 2020

Vendor

SAP SE

Product

SAP S4 HANA (SAP Landscape Transformation)

Versions

Affected

< 101
< 102
< 103
< 104
< 105

Problem Types

Type	CWE ID	Description
text	N/A	Missing Authorization

Type: text

CWE ID: N/A

Description: Missing Authorization

Metrics

Version	Base score	Base severity	Vector
3.0	7.6	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H

Version: 3.0

Base score: 7.6

Base severity: HIGH

Vector:

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H

References

Hyperlink	Resource
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079	x_refsource_MISC
https://launchpad.support.sap.com/#/notes/2993132	x_refsource_MISC
http://seclists.org/fulldisclosure/2022/May/42	mailing-list x_refsource_FULLDISC
http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html	x_refsource_MISC

Hyperlink: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079

Resource:

x_refsource_MISC

Hyperlink: https://launchpad.support.sap.com/#/notes/2993132

Resource:

x_refsource_MISC

Hyperlink: http://seclists.org/fulldisclosure/2022/May/42

Resource:

mailing-list

x_refsource_FULLDISC

Hyperlink: http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html

Resource:

x_refsource_MISC

▼Authorized Data Publishers (ADP)

CVE Program Container

References

Hyperlink	Resource
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079	x_refsource_MISC x_transferred
https://launchpad.support.sap.com/#/notes/2993132	x_refsource_MISC x_transferred
http://seclists.org/fulldisclosure/2022/May/42	mailing-list x_refsource_FULLDISC x_transferred
http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html	x_refsource_MISC x_transferred

Hyperlink: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079

Resource:

x_refsource_MISC

x_transferred

Hyperlink: https://launchpad.support.sap.com/#/notes/2993132

Resource:

x_refsource_MISC

x_transferred

Hyperlink: http://seclists.org/fulldisclosure/2022/May/42

Resource:

mailing-list

x_refsource_FULLDISC

x_transferred

Hyperlink: http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html

Resource:

x_refsource_MISC

x_transferred

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:cna@sap.com

Published At:09 Dec, 2020 | 17:15

Updated At:05 Oct, 2022 | 14:21

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	7.6	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H
Secondary	3.0	7.6	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H
Primary	2.0	7.5	HIGH	AV:N/AC:L/Au:S/C:P/I:N/A:C

Type: Primary

Version: 3.1

Base score: 7.6

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H

Type: Secondary

Version: 3.0

Base score: 7.6

Base severity: HIGH

Vector:

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H

Type: Primary

Version: 2.0

Base score: 7.5

Base severity: HIGH

Vector:

AV:N/AC:L/Au:S/C:P/I:N/A:C

CPE Matches

SAP SE

>>netweaver_application_server_abap>>2011_1_620

cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_620:*:*:*:*:*:*:*

SAP SE

>>netweaver_application_server_abap>>2011_1_640

cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_640:*:*:*:*:*:*:*

SAP SE

>>netweaver_application_server_abap>>2011_1_700

cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_700:*:*:*:*:*:*:*

SAP SE

>>netweaver_application_server_abap>>2011_1_710

cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_710:*:*:*:*:*:*:*

SAP SE

>>netweaver_application_server_abap>>2011_1_730

cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_730:*:*:*:*:*:*:*

SAP SE

>>netweaver_application_server_abap>>2011_1_731

cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_731:*:*:*:*:*:*:*

SAP SE

>>netweaver_application_server_abap>>2011_1_752

cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_752:*:*:*:*:*:*:*

SAP SE

>>netweaver_application_server_abap>>2020

cpe:2.3:a:sap:netweaver_application_server_abap:2020:*:*:*:*:*:*:*

SAP SE

>>s\/4_hana>>101

cpe:2.3:a:sap:s\/4_hana:101:*:*:*:*:*:*:*

SAP SE

>>s\/4_hana>>102

cpe:2.3:a:sap:s\/4_hana:102:*:*:*:*:*:*:*

SAP SE

>>s\/4_hana>>103

cpe:2.3:a:sap:s\/4_hana:103:*:*:*:*:*:*:*

SAP SE

>>s\/4_hana>>104

cpe:2.3:a:sap:s\/4_hana:104:*:*:*:*:*:*:*

SAP SE

>>s\/4_hana>>105

cpe:2.3:a:sap:s\/4_hana:105:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-862	Primary	nvd@nist.gov

CWE ID: CWE-862

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html	cna@sap.com	Exploit Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2022/May/42	cna@sap.com	Exploit Mailing List Third Party Advisory
https://launchpad.support.sap.com/#/notes/2993132	cna@sap.com	Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079	cna@sap.com	Vendor Advisory

Hyperlink: http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html

Source: cna@sap.com

Resource:

Exploit

Third Party Advisory

VDB Entry

Hyperlink: http://seclists.org/fulldisclosure/2022/May/42

Source: cna@sap.com

Resource:

Exploit

Mailing List

Third Party Advisory

Hyperlink: https://launchpad.support.sap.com/#/notes/2993132

Source: cna@sap.com

Resource:

Permissions Required

Hyperlink: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079

Source: cna@sap.com

Resource:

Vendor Advisory

Similar CVEs

106Records found

CVE-2022-35293

Matching Score-6

Assigner-SAP SE

View Details

Matching Score-6

Assigner-SAP SE

CVSS Score-9.1||CRITICAL

EPSS-0.66% / 70.28%

7 Day CHG~0.00%

Published-09 Aug, 2022 | 20:13

Updated-03 Aug, 2024 | 09:36

Due to insecure session management, SAP Enable Now allows an unauthenticated attacker to gain access to user's account. On successful exploitation, an attacker can view or modify user data causing limited impact on confidentiality and integrity of the application.

Vendor-SAP SE

Product-enable_now_manager SAP Enable Now Manager

CWE ID-CWE-862

Missing Authorization

CVE-2024-44112

Matching Score-6

Assigner-SAP SE

View Details

Matching Score-6

Assigner-SAP SE

CVSS Score-4.3||MEDIUM

EPSS-0.10% / 28.71%

7 Day CHG~0.00%

Published-10 Sep, 2024 | 04:03

Updated-16 Sep, 2024 | 14:19

Missing Authorization check in SAP for Oil & Gas (Transportation and Distribution)

Due to missing authorization check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function which will allow them to delete non-sensitive entries in a user data table. There is no effect on confidentiality or availability.

Vendor-SAP SE

Product-oil_\%\/_gas SAP for Oil & Gas

CWE ID-CWE-862

Missing Authorization

CVE-2021-27605

Matching Score-6

Assigner-SAP SE

View Details

Matching Score-6

Assigner-SAP SE

CVSS Score-4.3||MEDIUM

EPSS-0.12% / 31.67%

7 Day CHG~0.00%

Published-13 Apr, 2021 | 18:44

Updated-03 Aug, 2024 | 21:26

SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted.

Vendor-SAP SE

Product-fiori_apps_2.0_for_travel_management_in_sap_erp SAP Fiori Apps 2.0 for Travel Management in SAP ERP

CWE ID-CWE-862

Missing Authorization

CVE-2024-41734

Matching Score-6

Assigner-SAP SE

View Details

Matching Score-6

Assigner-SAP SE

CVSS Score-4.3||MEDIUM

EPSS-0.09% / 27.17%

7 Day CHG~0.00%

Published-13 Aug, 2024 | 04:18

Updated-12 Sep, 2024 | 13:28

Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform

Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. There is no impact on integrity or availability.

Vendor-SAP SE

Product-netweaver_application_server_abap SAP NetWeaver Application Server ABAP and ABAP Platform

CWE ID-CWE-862

Missing Authorization

CVE-2020-6212

Matching Score-6

Assigner-SAP SE

View Details

Matching Score-6

Assigner-SAP SE

CVSS Score-5.4||MEDIUM

EPSS-0.13% / 32.62%

7 Day CHG~0.00%

Published-24 Apr, 2020 | 22:18

Updated-04 Aug, 2024 | 08:55

Egypt localized withholding tax reports Clearing of Liabilities and Remittance Statement and Summary in SAP ERP (versions 618, 730, EAPPLGLO 607) and S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user, allowing reading or modification of some tax reports, due to Missing Authorization Check.

Vendor-SAP SE

Product-erp s\/4hana SAP S/4 HANA SAP ERP

CWE ID-CWE-862

Missing Authorization

CVE-2020-6199

Matching Score-6

Assigner-SAP SE

View Details

Matching Score-6

Assigner-SAP SE

CVSS Score-5.4||MEDIUM

EPSS-0.12% / 31.03%

7 Day CHG~0.00%

Published-10 Mar, 2020 | 20:18

Updated-04 Aug, 2024 | 08:55

The view FIMENAV_COMPCERT in SAP ERP (MENA Certificate Management), EAPPGLO version 607, SAP_FIN versions- 618, 730 and SAP S/4HANA (MENA Certificate Management), S4CORE versions- 100, 101, 102, 103, 104; does not have any authorization check to it due to which an attacker without an authorization group can maintain any company certificate, leading to Missing Authorization Check.

Vendor-SAP SE

Product-erp SAP ERP (EAPPGLO)SAP ERP (SAP_FIN)SAP S/4HANA (S4CORE)

CWE ID-CWE-862

Missing Authorization

CVE-2020-26832

Credits

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs