FKIE_CVE-2020-6262

Vulnerability from fkie_nvd - Published: 2020-05-12 18:15 - Updated: 2024-11-21 05:35
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Service Data Download in SAP Application Server ABAP (ST-PI, before versions 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application and the whole ABAP system leading to Code Injection.
References
cna@sap.comhttps://launchpad.support.sap.com/#/notes/2835979Permissions Required
cna@sap.comhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://launchpad.support.sap.com/#/notes/2835979Permissions Required
af854a3a-2127-422b-91ae-364da2661108https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222Vendor Advisory
Impacted products
Vendor Product Version
sap application_server 740
sap application_server 2008_1_46c
sap application_server 2008_1_620
sap application_server 2008_1_640
sap application_server 2008_1_700
sap application_server 2008_1_710
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:application_server:740:*:*:*:*:*:*:*",
              "matchCriteriaId": "E9BAB482-B7A5-47CC-92BD-250294B5570A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:application_server:2008_1_46c:*:*:*:*:*:*:*",
              "matchCriteriaId": "E2CE901C-0E61-47E3-A16D-52BDCC0EBFA2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:application_server:2008_1_620:*:*:*:*:*:*:*",
              "matchCriteriaId": "836C14DC-888B-4FF1-80E7-B9F9330FE425",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:application_server:2008_1_640:*:*:*:*:*:*:*",
              "matchCriteriaId": "07DA7FF8-E20C-4926-8C04-ED29F405EE2A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:application_server:2008_1_700:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8415C2F-D676-4140-A8E2-380339558D89",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:application_server:2008_1_710:*:*:*:*:*:*:*",
              "matchCriteriaId": "AECA3EDA-A5F5-49D6-810B-D292D1070C33",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Service Data Download in SAP Application Server ABAP (ST-PI, before versions 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application and the whole ABAP system leading to Code Injection."
    },
    {
      "lang": "es",
      "value": "Service Data Download en SAP Application Server ABAP (ST-PI, versiones anteriores a 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740), permite a un atacante inyectar c\u00f3digo que puede ser ejecutado por la aplicaci\u00f3n. Un atacante podr\u00eda as\u00ed controlar el comportamiento de la aplicaci\u00f3n y de todo el sistema ABAP conllevando a una inyecci\u00f3n de c\u00f3digo."
    }
  ],
  "id": "CVE-2020-6262",
  "lastModified": "2024-11-21T05:35:24.010",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "cna@sap.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-05-12T18:15:14.850",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/2835979"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/2835979"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.