CVE-2020-6318

Published: Sep 9, 2020Modified: Nov 21, 2024

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

A Remote Code Execution vulnerability exists in the SAP NetWeaver (ABAP Server, up to release 7.40) and ABAP Platform (> release 7.40).Because of this, an attacker can exploit these products via Code Injection, and potentially enabling to take complete control of the products, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It can also be used to cause a general fault in the product, causing the products to terminate.

Affected (13)

Products: Sap: Abap Platform

1 product

Configuration A

13 vulnerable

Vulnerable Software	Affected Versions
Sap Abap Platform	Version 700
Sap Abap Platform	Version 701
Sap Abap Platform	Version 702
Sap Abap Platform	Version 710
Sap Abap Platform	Version 711
Sap Abap Platform	Version 730
Sap Abap Platform	Version 731
Sap Abap Platform	Version 740
Sap Abap Platform	Version 750
Sap Abap Platform	Version 751
Sap Abap Platform	Version 753
Sap Abap Platform	Version 754
Sap Abap Platform	Version 755

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (8)

http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html

Source: cna@sap.com

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2022/May/42

Source: cna@sap.com

ExploitMailing ListThird Party Advisory

https://launchpad.support.sap.com/#/notes/2958563

Source: cna@sap.com

Permissions Required

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700

Source: cna@sap.com

Vendor Advisory

http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2022/May/42

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMailing ListThird Party Advisory

https://launchpad.support.sap.com/#/notes/2958563

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.