CVE-2020-26838

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2020-26838

9.1 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

9.0 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

S

AP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. It is possible to craft a request which will result in the execution of Operating System commands leading to Code Injection vulnerability which could completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it.

References
Link Resource
https://launchpad.support.sap.com/#/notes/2983367 Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 Vendor Advisory
https://launchpad.support.sap.com/#/notes/2983367 Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sap:business_warehouse:700:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_warehouse:701:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_warehouse:702:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_warehouse:731:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_warehouse:740:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_warehouse:750:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_warehouse:751:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_warehouse:752:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_warehouse:753:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_warehouse:754:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_warehouse:755:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_warehouse:782:*:*:*:*:*:*:*
cpe:2.3:a:sap:bw\/4hana:100:*:*:*:*:*:*:*
cpe:2.3:a:sap:bw\/4hana:200:*:*:*:*:*:*:*
History

21 Nov 2024, 05:20

Type Values Removed Values Added
References () https://launchpad.support.sap.com/#/notes/2983367 - Permissions Required () https://launchpad.support.sap.com/#/notes/2983367 - Permissions Required
References () https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 - Vendor Advisory () https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 - Vendor Advisory
Information

Published : 2020-12-09 17:15

Updated : 2024-11-21 05:20

NVD link : CVE-2020-26838

Mitre link : CVE-2020-26838

CVE.ORG link : CVE-2020-26838

JSON object : View

Products Affected

sap

CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')