CVE-2020-26829

Published: Dec 9, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.0

10.0

CRITICAL

Description

SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication. As result, an unauthenticated attacker can invoke certain functions that would otherwise be restricted to system administrators only, including access to system administration functions or shutting down the system completely.

Vendor	Product	Versions
SAP SE	SAP NetWeaver AS JAVA (P2P Cluster Communication)	affected `< 7.11` affected `< 7.20` affected `< 7.30` affected `< 7.31` affected `< 7.40` +1 more versions

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079

x_refsource_MISC

https://launchpad.support.sap.com/#/notes/2974774

x_refsource_MISC

20210614 Onapsis Security Advisory 2021-0013: [CVE-2020-26829] - Missing Authentication Check In SAP NetWeaver AS JAVA P2P Cluster communication

mailing-list

x_refsource_FULLDISC

http://packetstormsecurity.com/files/163166/SAP-Netweaver-JAVA-7.50-Missing-Authorization.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-26829

Description

Affected Products

CVSS v3.0 Details

References