CyberSec.Space Logo
Back to CVE Browser

CVE-2020-26829

CRITICAL
10.0
CVSS Severity Score
EPSS Score0.0440%
EPSS Percentile19.06th
PublishedDec 9, 2020
Last ModifiedNov 21, 2024

Vulnerability Description

SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication. As result, an unauthenticated attacker can invoke certain functions that would otherwise be restricted to system administrators only, including access to system administration functions or shutting down the system completely.

Affected Platforms (CPE)

πŸ“¦
Sap

Netweaver Application Server Java

= 7.11
πŸ“¦
Sap

Netweaver Application Server Java

= 7.20
πŸ“¦
Sap

Netweaver Application Server Java

= 7.30
πŸ“¦
Sap

Netweaver Application Server Java

= 7.31
πŸ“¦
Sap

Netweaver Application Server Java

= 7.40
πŸ“¦
Sap

Netweaver Application Server Java

= 7.50

References & Advisories

πŸ”— http://packetstormsecurity.com/files/163166/SAP-Netweaver-JAVA-7.50-Missing-Authorization.html
πŸ”— http://seclists.org/fulldisclosure/2021/Jun/33
πŸ”— https://launchpad.support.sap.com/#/notes/2974774
πŸ”— https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079
πŸ”— http://packetstormsecurity.com/files/163166/SAP-Netweaver-JAVA-7.50-Missing-Authorization.html
πŸ”— http://seclists.org/fulldisclosure/2021/Jun/33
πŸ”— https://launchpad.support.sap.com/#/notes/2974774
πŸ”— https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079

Related Vulnerabilities

CVE-2010-532610.0

The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, whic...

CVE-2019-03459.8

A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overv...

CVE-2021-375359.8

SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform nece...

CVE-2019-03898.8

An administrator of SAP NetWeaver Application Server Java (J2EE-Framework), (corrected in versions 7.1, 7.2, 7.3, 7.31, 7.4, 7.5),...