CyberSec.Space Logo
Back to CVE Browser

CVE-2020-6287

Known Exploited (CISA KEV)CRITICAL
10.0
CVSS Severity Score
EPSS Score96.9890%
EPSS Percentile87.69th
PublishedJul 14, 2020
Last ModifiedOct 31, 2025

Vulnerability Description

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.

Affected Platforms (CPE)

πŸ“¦
Sap

Netweaver Application Server Java

= 7.30
πŸ“¦
Sap

Netweaver Application Server Java

= 7.31
πŸ“¦
Sap

Netweaver Application Server Java

= 7.40
πŸ“¦
Sap

Netweaver Application Server Java

= 7.50

References & Advisories

πŸ”— http://packetstormsecurity.com/files/162085/SAP-JAVA-Configuration-Task-Execution.html
πŸ”— http://seclists.org/fulldisclosure/2021/Apr/6
πŸ”— https://launchpad.support.sap.com/#/notes/2934135
πŸ”— https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
πŸ”— https://www.onapsis.com/recon-sap-cyber-security-vulnerability
πŸ”— http://packetstormsecurity.com/files/162085/SAP-JAVA-Configuration-Task-Execution.html
πŸ”— http://seclists.org/fulldisclosure/2021/Apr/6
πŸ”— https://launchpad.support.sap.com/#/notes/2934135

Related Vulnerabilities

CVE-2010-532610.0

The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, whic...

CVE-2019-03459.8

A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overv...

CVE-2021-375359.8

SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform nece...

CVE-2019-03898.8

An administrator of SAP NetWeaver Application Server Java (J2EE-Framework), (corrected in versions 7.1, 7.2, 7.3, 7.31, 7.4, 7.5),...