cvelistv5 - cve-2020-6268

CVE-2020-6268 (GCVE-0-2020-6268)

Vulnerability from cvelistv5 – Published: 2020-06-10 12:35 – Updated: 2024-08-04 08:55

Summary

Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

CWE

Missing Authorization Check

Assigner

sap

References

URL

Tags

	https://wiki.scn.sap.com/wiki/pages/viewpage.acti…	x_refsource_MISC
	https://launchpad.support.sap.com/#/notes/2906996	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	SAP SE	SAP ERP (Statutory Reporting for Insurance Companies)	Affected: < EA-FINSERV 600 Affected: < 603 Affected: < 604 Affected: < 605 Affected: < 606 Affected: < 616 Affected: < 617 Affected: < 618 Affected: < 800S4CORE 101 Affected: < 102 Affected: < 103 Affected: < 104

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:55:22.226Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://launchpad.support.sap.com/#/notes/2906996"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SAP ERP (Statutory Reporting for Insurance Companies)",
          "vendor": "SAP SE",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c EA-FINSERV 600"
            },
            {
              "status": "affected",
              "version": "\u003c 603"
            },
            {
              "status": "affected",
              "version": "\u003c 604"
            },
            {
              "status": "affected",
              "version": "\u003c 605"
            },
            {
              "status": "affected",
              "version": "\u003c 606"
            },
            {
              "status": "affected",
              "version": "\u003c 616"
            },
            {
              "status": "affected",
              "version": "\u003c 617"
            },
            {
              "status": "affected",
              "version": "\u003c 618"
            },
            {
              "status": "affected",
              "version": "\u003c 800S4CORE 101"
            },
            {
              "status": "affected",
              "version": "\u003c 102"
            },
            {
              "status": "affected",
              "version": "\u003c 103"
            },
            {
              "status": "affected",
              "version": "\u003c 104"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Missing Authorization Check",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-10T12:35:27",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://launchpad.support.sap.com/#/notes/2906996"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2020-6268",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SAP ERP (Statutory Reporting for Insurance Companies)",
                      "version": {
                        "version_data": [
                          {
                            "version_name": "\u003c",
                            "version_value": "EA-FINSERV 600"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "603"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "604"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "605"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "606"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "616"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "617"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "618"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "800S4CORE 101"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "102"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "103"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "104"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SAP SE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "5.4",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Missing Authorization Check"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775",
              "refsource": "MISC",
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
            },
            {
              "name": "https://launchpad.support.sap.com/#/notes/2906996",
              "refsource": "MISC",
              "url": "https://launchpad.support.sap.com/#/notes/2906996"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2020-6268",
    "datePublished": "2020-06-10T12:35:27",
    "dateReserved": "2020-01-08T00:00:00",
    "dateUpdated": "2024-08-04T08:55:22.226Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):600:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EDDEDCE8-4D47-4DF8-B695-3DD8F038E8CF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):603:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F74C18C0-9673-4FBF-A92A-6AE4361B67C6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):604:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"81FEFC98-311D-483D-B1EA-AC557F8D0FC7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):605:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CC594DEE-4BFB-487C-8872-0669D7586D89\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):606:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2AD55C9B-46DD-4A49-9F87-EEE104B770B2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):616:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"009B1BB0-1746-4EA1-AFC6-27D27F46C555\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):617:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2F7CD93E-832C-4DBA-95E2-8BDBF18FBD96\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):618:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9A026D77-9B58-43F4-B308-435ACC77D203\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):800:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F28DE352-9903-4E6A-BC74-2BFD971F82F8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:erp_\\\\(s4core\\\\):101:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B2B21140-C45E-4F25-95E3-0C741FB5EF43\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:erp_\\\\(s4core\\\\):102:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E0BEF0EE-5FF8-4B55-AAA2-D99D7EE43DAB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:erp_\\\\(s4core\\\\):103:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F355C445-63CA-44C9-A49C-6AC08EF4460E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:erp_\\\\(s4core\\\\):104:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3D6A0B88-C577-4A59-815D-646EF9ACF5F2\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check.\"}, {\"lang\": \"es\", \"value\": \"Statutory Reporting de Insurance Companies en SAP ERP (EA-FINSERV versiones - 600, 603, 604, 605, 606, 616, 617, 618, 800 y S4CORE versiones 101, 102, 103, 104) no ejecuta las comprobaciones de autorizaci\\u00f3n requeridas para un usuario autenticado, que permite a un atacante visualizar y manipular determinados datos restringidos conllevando a una Falta de Verificaci\\u00f3n de Autorizaci\\u00f3n\"}]",
      "id": "CVE-2020-6268",
      "lastModified": "2024-11-21T05:35:24.690",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.2}], \"cvssMetricV30\": [{\"source\": \"cna@sap.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.5}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:N\", \"baseScore\": 5.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-06-10T13:15:18.290",
      "references": "[{\"url\": \"https://launchpad.support.sap.com/#/notes/2906996\", \"source\": \"cna@sap.com\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775\", \"source\": \"cna@sap.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://launchpad.support.sap.com/#/notes/2906996\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cna@sap.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-6268\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2020-06-10T13:15:18.290\",\"lastModified\":\"2024-11-21T05:35:24.690\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check.\"},{\"lang\":\"es\",\"value\":\"Statutory Reporting de Insurance Companies en SAP ERP (EA-FINSERV versiones - 600, 603, 604, 605, 606, 616, 617, 618, 800 y S4CORE versiones 101, 102, 103, 104) no ejecuta las comprobaciones de autorizaci\u00f3n requeridas para un usuario autenticado, que permite a un atacante visualizar y manipular determinados datos restringidos conllevando a una Falta de Verificaci\u00f3n de Autorizaci\u00f3n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}],\"cvssMetricV30\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:N\",\"baseScore\":5.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):600:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EDDEDCE8-4D47-4DF8-B695-3DD8F038E8CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):603:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F74C18C0-9673-4FBF-A92A-6AE4361B67C6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):604:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"81FEFC98-311D-483D-B1EA-AC557F8D0FC7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):605:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CC594DEE-4BFB-487C-8872-0669D7586D89\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):606:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2AD55C9B-46DD-4A49-9F87-EEE104B770B2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):616:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"009B1BB0-1746-4EA1-AFC6-27D27F46C555\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):617:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F7CD93E-832C-4DBA-95E2-8BDBF18FBD96\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):618:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9A026D77-9B58-43F4-B308-435ACC77D203\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:erp_\\\\(ea-finserv\\\\):800:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F28DE352-9903-4E6A-BC74-2BFD971F82F8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:erp_\\\\(s4core\\\\):101:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B2B21140-C45E-4F25-95E3-0C741FB5EF43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:erp_\\\\(s4core\\\\):102:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0BEF0EE-5FF8-4B55-AAA2-D99D7EE43DAB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:erp_\\\\(s4core\\\\):103:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F355C445-63CA-44C9-A49C-6AC08EF4460E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:erp_\\\\(s4core\\\\):104:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3D6A0B88-C577-4A59-815D-646EF9ACF5F2\"}]}]}],\"references\":[{\"url\":\"https://launchpad.support.sap.com/#/notes/2906996\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://launchpad.support.sap.com/#/notes/2906996\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

GSD-2020-6268

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-6268

Aliases

CVE-2020-6268

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-6268",
    "description": "Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check.",
    "id": "GSD-2020-6268"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-6268"
      ],
      "details": "Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check.",
      "id": "GSD-2020-6268",
      "modified": "2023-12-13T01:21:55.095167Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@sap.com",
        "ID": "CVE-2020-6268",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "SAP ERP (Statutory Reporting for Insurance Companies)",
                    "version": {
                      "version_data": [
                        {
                          "version_name": "\u003c",
                          "version_value": "EA-FINSERV 600"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "603"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "604"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "605"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "606"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "616"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "617"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "618"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "800S4CORE 101"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "102"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "103"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "104"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "SAP SE"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check."
          }
        ]
      },
      "impact": {
        "cvss": {
          "baseScore": "5.4",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Missing Authorization Check"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775",
            "refsource": "MISC",
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
          },
          {
            "name": "https://launchpad.support.sap.com/#/notes/2906996",
            "refsource": "MISC",
            "url": "https://launchpad.support.sap.com/#/notes/2906996"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):600:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):603:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):604:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):605:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):606:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):616:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):617:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):618:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):800:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:erp_\\(s4core\\):101:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:erp_\\(s4core\\):102:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:erp_\\(s4core\\):103:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:erp_\\(s4core\\):104:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2020-6268"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-862"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
            },
            {
              "name": "https://launchpad.support.sap.com/#/notes/2906996",
              "refsource": "MISC",
              "tags": [
                "Permissions Required"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2906996"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2020-06-16T14:36Z",
      "publishedDate": "2020-06-10T13:15Z"
    }
  }
}

CERTFR-2020-AVI-350

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP NetWeaver AS ABAP (Business Server Pages Test Application SBSPEXT_TABLE) versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753 et 754
SAP	N/A	SAP Netweaver AS ABAP versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753 et 754
SAP	N/A	SAP SuccessFactors Recruiting version 2005
SAP	N/A	SAP Solution Manager (Problem Context Manager) version 7.2
SAP	N/A	SAP Liquidity Management for Banking version 6.2
SAP	N/A	.30, 7.31, 7.40 et 7.50
SAP	N/A	SAP ERP (Statutory Reporting for Insurance Companies) versions EA-FINSERV 600, 603, 604, 605, 606, 616, 617, 618 et 800; S4CORE 101, 102, 103 et 104
SAP	N/A	SAP Commerce (Data Hub) versions 6.7, 1808, 1811 et 1905
SAP	N/A	SAP Fiori pour SAP S/4HANA versions 200, 300, 400 et 500
SAP	N/A	SAP Business Objects Business Intelligence Platform version 4.2
SAP	N/A	SAP Gateway versions 7.40 et 2.00
SAP	N/A	SAP Business One (Backup service) versions 9.3,et 10.0
SAP	N/A	SAP NetWeaver AS ABAP (Banking Services) versions 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D et 75E
SAP	N/A	SAP Gateway versions 7.5, 7.51, 7.52 et 7.53
SAP	N/A	SAP Solution Manager (Trace Analysis) version 7.20
SAP	N/A	SAP Commerce versions 6.7, 1808, 1811 et 1905
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS JAVA (P4 Protocol) versions SAP-JEECOR 7.00 et 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 et 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20,

References

Title

Publication Time

Tags

Bulletin de sécurité SAP 547426775 du 09 juin 2020

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP NetWeaver AS ABAP (Business Server Pages Test Application SBSPEXT_TABLE) versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753 et 754",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Netweaver AS ABAP versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753 et 754",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP SuccessFactors Recruiting version 2005",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Solution Manager (Problem Context Manager) version 7.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Liquidity Management for Banking version 6.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": ".30, 7.31, 7.40 et 7.50",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP ERP (Statutory Reporting for Insurance Companies) versions EA-FINSERV 600, 603, 604, 605, 606, 616, 617, 618 et 800; S4CORE 101, 102, 103 et 104",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Commerce (Data Hub) versions 6.7, 1808, 1811 et 1905",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Fiori pour SAP S/4HANA versions 200, 300, 400 et 500",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Business Objects Business Intelligence Platform version 4.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Gateway versions 7.40 et 2.00",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Business One (Backup service) versions 9.3,et 10.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS ABAP (Banking Services) versions 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D et 75E",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Gateway versions 7.5, 7.51, 7.52 et 7.53",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Solution Manager (Trace Analysis) version 7.20",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Commerce versions 6.7, 1808, 1811 et 1905",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS JAVA (P4 Protocol) versions SAP-JEECOR 7.00 et 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 et 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20,",
      "product": {
        "name": "SAP NetWeaver AS Java",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-6266",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6266"
    },
    {
      "name": "CVE-2020-6246",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6246"
    },
    {
      "name": "CVE-2020-6263",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6263"
    },
    {
      "name": "CVE-2020-6271",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6271"
    },
    {
      "name": "CVE-2019-17571",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571"
    },
    {
      "name": "CVE-2020-6268",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6268"
    },
    {
      "name": "CVE-2019-0319",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0319"
    },
    {
      "name": "CVE-2020-6264",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6264"
    },
    {
      "name": "CVE-2020-6279",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6279"
    },
    {
      "name": "CVE-2020-6269",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6269"
    },
    {
      "name": "CVE-2020-6270",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6270"
    },
    {
      "name": "CVE-2020-1938",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-1938"
    },
    {
      "name": "CVE-2020-6239",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6239"
    },
    {
      "name": "CVE-2020-6275",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6275"
    },
    {
      "name": "CVE-2020-6260",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6260"
    },
    {
      "name": "CVE-2020-6265",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6265"
    },
    {
      "name": "CVE-2018-1000632",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-1000632"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-350",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-06-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un\nprobl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une ex\u00e9cution de code\narbitraire \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP 547426775 du 09 juin 2020",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
    }
  ]
}

CERTFR-2020-AVI-350

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP NetWeaver AS ABAP (Business Server Pages Test Application SBSPEXT_TABLE) versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753 et 754
SAP	N/A	SAP Netweaver AS ABAP versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753 et 754
SAP	N/A	SAP SuccessFactors Recruiting version 2005
SAP	N/A	SAP Solution Manager (Problem Context Manager) version 7.2
SAP	N/A	SAP Liquidity Management for Banking version 6.2
SAP	N/A	.30, 7.31, 7.40 et 7.50
SAP	N/A	SAP ERP (Statutory Reporting for Insurance Companies) versions EA-FINSERV 600, 603, 604, 605, 606, 616, 617, 618 et 800; S4CORE 101, 102, 103 et 104
SAP	N/A	SAP Commerce (Data Hub) versions 6.7, 1808, 1811 et 1905
SAP	N/A	SAP Fiori pour SAP S/4HANA versions 200, 300, 400 et 500
SAP	N/A	SAP Business Objects Business Intelligence Platform version 4.2
SAP	N/A	SAP Gateway versions 7.40 et 2.00
SAP	N/A	SAP Business One (Backup service) versions 9.3,et 10.0
SAP	N/A	SAP NetWeaver AS ABAP (Banking Services) versions 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D et 75E
SAP	N/A	SAP Gateway versions 7.5, 7.51, 7.52 et 7.53
SAP	N/A	SAP Solution Manager (Trace Analysis) version 7.20
SAP	N/A	SAP Commerce versions 6.7, 1808, 1811 et 1905
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS JAVA (P4 Protocol) versions SAP-JEECOR 7.00 et 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 et 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20,

References

Title

Publication Time

Tags

Bulletin de sécurité SAP 547426775 du 09 juin 2020

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP NetWeaver AS ABAP (Business Server Pages Test Application SBSPEXT_TABLE) versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753 et 754",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Netweaver AS ABAP versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753 et 754",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP SuccessFactors Recruiting version 2005",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Solution Manager (Problem Context Manager) version 7.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Liquidity Management for Banking version 6.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": ".30, 7.31, 7.40 et 7.50",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP ERP (Statutory Reporting for Insurance Companies) versions EA-FINSERV 600, 603, 604, 605, 606, 616, 617, 618 et 800; S4CORE 101, 102, 103 et 104",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Commerce (Data Hub) versions 6.7, 1808, 1811 et 1905",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Fiori pour SAP S/4HANA versions 200, 300, 400 et 500",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Business Objects Business Intelligence Platform version 4.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Gateway versions 7.40 et 2.00",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Business One (Backup service) versions 9.3,et 10.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS ABAP (Banking Services) versions 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D et 75E",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Gateway versions 7.5, 7.51, 7.52 et 7.53",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Solution Manager (Trace Analysis) version 7.20",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Commerce versions 6.7, 1808, 1811 et 1905",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS JAVA (P4 Protocol) versions SAP-JEECOR 7.00 et 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 et 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20,",
      "product": {
        "name": "SAP NetWeaver AS Java",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-6266",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6266"
    },
    {
      "name": "CVE-2020-6246",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6246"
    },
    {
      "name": "CVE-2020-6263",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6263"
    },
    {
      "name": "CVE-2020-6271",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6271"
    },
    {
      "name": "CVE-2019-17571",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571"
    },
    {
      "name": "CVE-2020-6268",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6268"
    },
    {
      "name": "CVE-2019-0319",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0319"
    },
    {
      "name": "CVE-2020-6264",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6264"
    },
    {
      "name": "CVE-2020-6279",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6279"
    },
    {
      "name": "CVE-2020-6269",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6269"
    },
    {
      "name": "CVE-2020-6270",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6270"
    },
    {
      "name": "CVE-2020-1938",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-1938"
    },
    {
      "name": "CVE-2020-6239",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6239"
    },
    {
      "name": "CVE-2020-6275",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6275"
    },
    {
      "name": "CVE-2020-6260",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6260"
    },
    {
      "name": "CVE-2020-6265",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6265"
    },
    {
      "name": "CVE-2018-1000632",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-1000632"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-350",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-06-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un\nprobl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une ex\u00e9cution de code\narbitraire \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP 547426775 du 09 juin 2020",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
    }
  ]
}

FKIE_CVE-2020-6268

Vulnerability from fkie_nvd - Published: 2020-06-10 13:15 - Updated: 2024-11-21 05:35

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

References

URL	Tags
cna@sap.com	https://launchpad.support.sap.com/#/notes/2906996	Permissions Required
cna@sap.com	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://launchpad.support.sap.com/#/notes/2906996	Permissions Required
af854a3a-2127-422b-91ae-364da2661108	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775	Vendor Advisory

Impacted products

Vendor	Product	Version
sap	erp_\(ea-finserv\)	600
sap	erp_\(ea-finserv\)	603
sap	erp_\(ea-finserv\)	604
sap	erp_\(ea-finserv\)	605
sap	erp_\(ea-finserv\)	606
sap	erp_\(ea-finserv\)	616
sap	erp_\(ea-finserv\)	617
sap	erp_\(ea-finserv\)	618
sap	erp_\(ea-finserv\)	800
sap	erp_\(s4core\)	101
sap	erp_\(s4core\)	102
sap	erp_\(s4core\)	103
sap	erp_\(s4core\)	104

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):600:*:*:*:*:*:*:*",
              "matchCriteriaId": "EDDEDCE8-4D47-4DF8-B695-3DD8F038E8CF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):603:*:*:*:*:*:*:*",
              "matchCriteriaId": "F74C18C0-9673-4FBF-A92A-6AE4361B67C6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):604:*:*:*:*:*:*:*",
              "matchCriteriaId": "81FEFC98-311D-483D-B1EA-AC557F8D0FC7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):605:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC594DEE-4BFB-487C-8872-0669D7586D89",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):606:*:*:*:*:*:*:*",
              "matchCriteriaId": "2AD55C9B-46DD-4A49-9F87-EEE104B770B2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):616:*:*:*:*:*:*:*",
              "matchCriteriaId": "009B1BB0-1746-4EA1-AFC6-27D27F46C555",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):617:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F7CD93E-832C-4DBA-95E2-8BDBF18FBD96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):618:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A026D77-9B58-43F4-B308-435ACC77D203",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):800:*:*:*:*:*:*:*",
              "matchCriteriaId": "F28DE352-9903-4E6A-BC74-2BFD971F82F8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_\\(s4core\\):101:*:*:*:*:*:*:*",
              "matchCriteriaId": "B2B21140-C45E-4F25-95E3-0C741FB5EF43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_\\(s4core\\):102:*:*:*:*:*:*:*",
              "matchCriteriaId": "E0BEF0EE-5FF8-4B55-AAA2-D99D7EE43DAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_\\(s4core\\):103:*:*:*:*:*:*:*",
              "matchCriteriaId": "F355C445-63CA-44C9-A49C-6AC08EF4460E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp_\\(s4core\\):104:*:*:*:*:*:*:*",
              "matchCriteriaId": "3D6A0B88-C577-4A59-815D-646EF9ACF5F2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check."
    },
    {
      "lang": "es",
      "value": "Statutory Reporting de Insurance Companies en SAP ERP (EA-FINSERV versiones - 600, 603, 604, 605, 606, 616, 617, 618, 800 y S4CORE versiones 101, 102, 103, 104) no ejecuta las comprobaciones de autorizaci\u00f3n requeridas para un usuario autenticado, que permite a un atacante visualizar y manipular determinados datos restringidos conllevando a una Falta de Verificaci\u00f3n de Autorizaci\u00f3n"
    }
  ],
  "id": "CVE-2020-6268",
  "lastModified": "2024-11-21T05:35:24.690",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "cna@sap.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-06-10T13:15:18.290",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/2906996"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/2906996"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-C687-3W98-PG2Q

Vulnerability from github – Published: 2022-05-24 17:20 – Updated: 2022-05-24 17:20

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-6268"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-10T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check.",
  "id": "GHSA-c687-3w98-pg2q",
  "modified": "2022-05-24T17:20:08Z",
  "published": "2022-05-24T17:20:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6268"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/2906996"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-6268 (GCVE-0-2020-6268)

GSD-2020-6268

CERTFR-2020-AVI-350

Solution

CERTFR-2020-AVI-350

Solution

FKIE_CVE-2020-6268

GHSA-C687-3W98-PG2Q

Tags

Sightings

Nomenclature