Skip to main content

Netweaver Application Server Java CVE-2020-6309

HIGH
Missing Authentication for Critical Function (CWE-306)
2020-08-12 cna@sap.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 12, 2020 - 14:15 nvd
HIGH 7.5

DescriptionNVD

SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send several payloads and leading to complete denial of service.

AnalysisAI

SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Missing Authentication for Critical Function (CWE-306), which allows attackers to access critical functionality without authentication. SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send several payloads and leading to complete denial of service. Affected products include: Sap Netweaver Application Server Java.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Require authentication for all sensitive operations, implement defense in depth.

CVE-2016-3974 CRITICAL POC
9.1 Apr 07

XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remo

CVE-2020-6287 CRITICAL POC
10.0 Jul 14

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication c

CVE-2016-3975 MEDIUM POC
6.1 Apr 07

Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbi

CVE-2020-26829 CRITICAL
10.0 Dec 09

SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary conne

CVE-2023-40309 CRITICAL
9.8 Sep 12

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization

CVE-2021-37535 CRITICAL
9.8 Sep 14

SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not pe

CVE-2020-6263 CRITICAL
9.8 Jun 10

Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10,

CVE-2019-0345 CRITICAL
9.8 Aug 14

A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator Sy

CVE-2024-22127 CRITICAL
9.1 Mar 12

SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high priv

CVE-2017-7717 HIGH
8.8 Apr 14

SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allo

CVE-2017-8913 HIGH
8.8 May 23

The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML

CVE-2015-8840 HIGH
8.8 Apr 08

The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote auth

Share

CVE-2020-6309 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy