fkie_cve-2020-6316
Vulnerability from fkie_nvd
Published
2020-11-10 17:15
Modified
2024-11-21 05:35
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
SAP ERP and SAP S/4 HANA allows an authenticated user to see cost records to objects to which he has no authorization in PS reporting, leading to Missing Authorization check.
References
cna@sap.comhttps://launchpad.support.sap.com/#/notes/2944188Permissions Required
cna@sap.comhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://launchpad.support.sap.com/#/notes/2944188Permissions Required
af854a3a-2127-422b-91ae-364da2661108https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571Vendor Advisory
Impacted products
Vendor Product Version
sap erp 600
sap erp 602
sap erp 603
sap erp 604
sap erp 605
sap erp 606
sap erp 616
sap erp 617
sap erp 618
sap s\/4hana 100
sap s\/4hana 101
sap s\/4hana 102
sap s\/4hana 103
sap s\/4hana 104


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:erp:600:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E53BFD1-8B0D-4BAD-ABA8-24C4FB25036F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp:602:*:*:*:*:*:*:*",
              "matchCriteriaId": "973DF1B4-A0F9-4D7C-9367-BA3380F9E426",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp:603:*:*:*:*:*:*:*",
              "matchCriteriaId": "E560E999-5E5E-4EC2-87A7-DF52F3E1BD3D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp:604:*:*:*:*:*:*:*",
              "matchCriteriaId": "E9E38906-8B63-4E06-8BF3-EDC5BFF0BAF9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp:605:*:*:*:*:*:*:*",
              "matchCriteriaId": "7C4FD4F9-A427-44EC-A266-B7BD9C4C7D63",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp:606:*:*:*:*:*:*:*",
              "matchCriteriaId": "0107AAA9-C29D-4447-847A-B1825C947D8B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp:616:*:*:*:*:*:*:*",
              "matchCriteriaId": "6327AA0C-A8EF-47BC-BD27-B7835EC26AC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp:617:*:*:*:*:*:*:*",
              "matchCriteriaId": "619506AC-B6AB-4C7B-9A70-3B1753E2C441",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:erp:618:*:*:*:*:*:*:*",
              "matchCriteriaId": "4573BD22-D50B-431E-928A-C495E342D1AE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:s\\/4hana:100:*:*:*:*:*:*:*",
              "matchCriteriaId": "11051D6A-FC81-4951-ACDA-BB07D5A5D751",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:s\\/4hana:101:*:*:*:*:*:*:*",
              "matchCriteriaId": "E6FE144C-BAF2-4E45-93EE-D70764BDEFD6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:s\\/4hana:102:*:*:*:*:*:*:*",
              "matchCriteriaId": "55BACB30-A607-410E-AB05-E991CC19CE12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:s\\/4hana:103:*:*:*:*:*:*:*",
              "matchCriteriaId": "95A0C742-4CBD-46B8-B2B3-5949EFC82A6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:s\\/4hana:104:*:*:*:*:*:*:*",
              "matchCriteriaId": "14A540DA-F234-4EEA-ADE8-4F6306A86C1E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP ERP and SAP S/4 HANA allows an authenticated user to see cost records to objects to which he has no authorization in PS reporting, leading to Missing Authorization check."
    },
    {
      "lang": "es",
      "value": "SAP ERP y SAP S/4 HANA, permiten a un usuario autenticado visualizar los registros de costos de objetos para los que no cuenta con autorizaci\u00f3n en los reportes de PS, conllevando a una Falta de Comprobaci\u00f3n de Autorizaci\u00f3n"
    }
  ],
  "id": "CVE-2020-6316",
  "lastModified": "2024-11-21T05:35:29.747",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "cna@sap.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-11-10T17:15:15.233",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/2944188"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/2944188"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.