Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-6309

Summary
Assigner-sap
Assigner Org ID-e4686d1a-f260-4930-ac4c-2f5c992778dd
Published At-12 Aug, 2020 | 13:51
Updated At-04 Aug, 2024 | 08:55
Rejected At-
Credits

SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send several payloads and leading to complete denial of service.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:sap
Assigner Org ID:e4686d1a-f260-4930-ac4c-2f5c992778dd
Published At:12 Aug, 2020 | 13:51
Updated At:04 Aug, 2024 | 08:55
Rejected At:
▼CVE Numbering Authority (CNA)

SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send several payloads and leading to complete denial of service.

Affected Products
Vendor
SAP SESAP SE
Product
SAP NetWeaver AS JAVA (ENGINEAPI)
Versions
Affected
  • < 7.10
Vendor
SAP SESAP SE
Product
SAP NetWeaver AS JAVA (WSRM)
Versions
Affected
  • < 7.10
  • < 7.11
  • < 7.20
  • < 7.30
  • < 7.31
  • < 7.40
  • < 7.50
Vendor
SAP SESAP SE
Product
SAP NetWeaver AS JAVA (J2EE-FRMW)
Versions
Affected
  • < 7.10
  • < 7.11
Problem Types
TypeCWE IDDescription
textN/AMissing Authentication check
Type: text
CWE ID: N/A
Description: Missing Authentication check
Metrics
VersionBase scoreBase severityVector
3.07.5HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version: 3.0
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345
x_refsource_MISC
https://launchpad.support.sap.com/#/notes/2941315
x_refsource_MISC
Hyperlink: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345
Resource:
x_refsource_MISC
Hyperlink: https://launchpad.support.sap.com/#/notes/2941315
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345
x_refsource_MISC
x_transferred
https://launchpad.support.sap.com/#/notes/2941315
x_refsource_MISC
x_transferred
Hyperlink: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://launchpad.support.sap.com/#/notes/2941315
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@sap.com
Published At:12 Aug, 2020 | 14:15
Updated At:21 Jul, 2021 | 11:39

SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send several payloads and leading to complete denial of service.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Secondary3.07.5HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary2.07.8HIGH
AV:N/AC:L/Au:N/C:N/I:N/A:C
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: Secondary
Version: 3.0
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: Primary
Version: 2.0
Base score: 7.8
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:C
CPE Matches
SAP SE
sap
>>netweaver_application_server_java>>7.10
cpe:2.3:a:sap:netweaver_application_server_java:7.10:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_java>>7.11
cpe:2.3:a:sap:netweaver_application_server_java:7.11:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_java>>7.20
cpe:2.3:a:sap:netweaver_application_server_java:7.20:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_java>>7.30
cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_java>>7.31
cpe:2.3:a:sap:netweaver_application_server_java:7.31:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_java>>7.40
cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*
SAP SE
sap
>>netweaver_application_server_java>>7.50
cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-306Primarynvd@nist.gov
CWE ID: CWE-306
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://launchpad.support.sap.com/#/notes/2941315cna@sap.com
Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345cna@sap.com
Vendor Advisory
Hyperlink: https://launchpad.support.sap.com/#/notes/2941315
Source: cna@sap.com
Resource:
Permissions Required
Hyperlink: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345
Source: cna@sap.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

159Records found
CVE-2019-17532
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.98% / 75.89%
||
7 Day CHG~0.00%
Published-12 Oct, 2019 | 20:23
Updated-05 Aug, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Belkin Wemo Switch 28B WW_2.00.11057.PVT-OWRT-SNS devices. They allow remote attackers to cause a denial of service (persistent rules-processing outage) via a crafted ruleDbBody element in a StoreRules request to the upnp/control/rules1 URI, because database corruption occurs.

Action-Not Available
Vendor-n/aBelkin International, Inc.
Product-wemo_switch_28bwemo_switch_28b_firmwaren/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2023-23906
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-7.5||HIGH
EPSS-0.73% / 71.69%
||
7 Day CHG~0.00%
Published-10 May, 2023 | 00:00
Updated-28 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authentication for critical function exists in SkyBridge MB-A100/110 firmware Ver. 4.2.0 and earlier, which may allow a remote unauthenticated attacker to execute some critical functions without authentication, e.g., rebooting the product.

Action-Not Available
Vendor-seiko-solSeiko Solutions Inc.
Product-skybridge_mb-a110skybridge_mb-a100skybridge_mb-a110_firmwareskybridge_mb-a100_firmwareSkyBridge MB-A100/110
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-36619
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.21% / 43.98%
||
7 Day CHG~0.00%
Published-31 Aug, 2022 | 22:55
Updated-03 Aug, 2024 | 10:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In D-link DIR-816 A2_v1.10CNB04.img,the network can be reset without authentication via /goform/setMAC.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-816_firmwaredir-816n/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-10042
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.66% / 70.12%
||
7 Day CHG~0.00%
Published-25 Mar, 2019 | 18:04
Updated-04 Aug, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An attacker can get this token from dir_login.asp and use an API URL /goform/LoadDefaultSettings to reset the router without authentication.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-816_firmwaredir-816n/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-1010136
Matching Score-4
Assigner-7556d962-6fb7-411e-85fa-6cd62f095ba8
ShareView Details
Matching Score-4
Assigner-7556d962-6fb7-411e-85fa-6cd62f095ba8
CVSS Score-7.5||HIGH
EPSS-1.21% / 78.18%
||
7 Day CHG~0.00%
Published-19 Jul, 2019 | 15:42
Updated-05 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ChinaMobile GPN2.4P21-C-CN W2001EN-00 is affected by: Incorrect Access Control - Unauthenticated Remote Reboot. The impact is: PLC Wireless Router's are vulnerable to an unauthenticated remote reboot due. The component is: Reboot settings are available to unauthenticated users instead of only authenticaed users. The attack vector is: Remote.

Action-Not Available
Vendor-chinamobileltdChinaMobile
Product-gpn2.4p21-c-cngpn2.4p21-c-cn_firmwareGPN2.4P21-C-CN
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2021-35941
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.79% / 87.63%
||
7 Day CHG~0.00%
Published-29 Jun, 2021 | 20:22
Updated-04 Aug, 2024 | 00:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Western Digital WD My Book Live (2.x and later) and WD My Book Live Duo (all versions) have an administrator API that can perform a system factory restore without authentication, as exploited in the wild in June 2021, a different vulnerability than CVE-2018-18472.

Action-Not Available
Vendor-n/aWestern Digital Corp.
Product-wd_my_book_live_firmwarewd_my_book_livewd_my_book_live_duo_firmwarewd_my_book_live_duon/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-8419
Matching Score-4
Assigner-CERT@VDE
ShareView Details
Matching Score-4
Assigner-CERT@VDE
CVSS Score-7.5||HIGH
EPSS-0.20% / 42.46%
||
7 Day CHG~0.00%
Published-30 Jun, 2025 | 09:39
Updated-30 Jun, 2025 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ifm: Improper Access Control vulnerability in AC4xxS devices

The endpoint hosts a script that allows an unauthorized remote attacker to put the system in a fail-safe state over the network due to missing authentication.

Action-Not Available
Vendor-ifm electronic GmbH
Product-ifm Smart PLC AC4xxS Firmware
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-45049
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.29% / 51.75%
||
7 Day CHG~0.00%
Published-27 Aug, 2024 | 20:33
Updated-28 Aug, 2024 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nix Hydra Missing authentication when triggering evaluations

Hydra is a Continuous Integration service for Nix based projects. It is possible to trigger evaluations in Hydra without any authentication. Depending on the size of evaluations, this can impact the availability of systems. The problem can be fixed by applying https://github.com/NixOS/hydra/commit/f73043378907c2c7e44f633ad764c8bdd1c947d5 to any Hydra package. Users are advised to upgrade. Users unable to upgrade should deny the `/api/push` route in a reverse proxy. This also breaks the "Evaluate jobset" button in the frontend.

Action-Not Available
Vendor-NixOSnixos
Product-hydrahydra
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2017-10271
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-7.5||HIGH
EPSS-94.44% / 99.99%
||
7 Day CHG~0.00%
Published-19 Oct, 2017 | 17:00
Updated-30 Jul, 2025 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-08-10||Apply updates per vendor instructions.

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-weblogic_serverWebLogic ServerWebLogic Server
CWE ID-CWE-306
Missing Authentication for Critical Function
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found